Security Incidents mailing list archives

Re: MASSIVE ssh attack attempt

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Thu, 17 Feb 2000 11:49:15 -0500


on that idea, i submitted a bug report to the ssh 1.x team last year
noting that they have no limit on the number of processes sshd can start.
it's a simple DoS. maybe this is what you're seeing. i posted to BUGTRAQ
on this, too, and the thread included a sourece patch to stave this off.

On Wed, 16 Feb 2000, Omachonu Ogali wrote:

On Tue, 15 Feb 2000, Mark Shirley wrote:

Our network has been recving massive amounts of ssh connection attempts in a short period of time.


Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from
210.134.59.39:1297
Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from
36.56.53.111:1972
Feb 15 22:02:16 entropy2 iplog[24745]: TCP: ssh connection attempt from
124.64.2.61:1575
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
54.37.196.90:1418
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
17.39.116.29:1353
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
180.61.250.13:1848
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
91.99.173.23:1845
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
95.121.42.92:1940
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
124.208.184.123:1878
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
188.204.99.96:1319
Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
220.160.75.65:1878

this is only a very small peice of the overall attack

it is obvious to me that they are spoofed ip addresses


Might possibly a SYN flood.


jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

Re: ports ports and more ports, (continued)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
  - Re: succesful crack Gene Harris (Feb 16)
    - Re: succesful crack **read nine (Feb 17)
    - Re: succesful crack R. Gupta (Feb 17)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
  - Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
    - Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
    - Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
  - Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
    - Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
    - Re: MASSIVE ssh attack attempt Robert Lau (Feb 17)
  - Re: MASSIVE ssh attack attempt Filip M. Gieszczykiewicz (Feb 17)
    - Re: MASSIVE ssh attack attempt Robert Graham (Feb 18)
    - Undernet/telnet attempts? SecOrg (Feb 18)
    - Re: Undernet/telnet attempts? Opus (Feb 21)
    - Re: Undernet/telnet attempts? Jonathan Levy (Feb 21)
    - Re: Undernet/telnet attempts? Tibor, Mike (Feb 22)

(Thread continues...)