Security Incidents mailing list archives

Re: MASSIVE ssh attack attempt

From: jeffc () SHORE NET (Jeffrey D. Carter)
Date: Wed, 23 Feb 2000 12:03:36 -0500


Automatic digest processor <LISTSERV () lists securityfocus com>  writes:

-------------------------------------------------------------------------<

| Date:    Fri, 18 Feb 2000 15:15:03 -0800
| From:    Robert Graham <Robert.Graham () NETWORKICE COM>
| Subject: Re: MASSIVE ssh attack attempt
|
| PCanywhere uses UDP/22 rather than TCP/22.
|
| http://www.robertgraham.com/pubs/firewall-seen.html#port22
|
| My guess this is just a massive sacan for the recent RSAREF bug.
|
| Rob.

-------------------------------------------------------------------------<


Since the targets appear to all be the same machine, it doesn't seem likely
that this would be looking for the RSAREF problem. After all, if the
first connect doesn't compromise the host, 2 through N won't either.

Sounds more like some someone trying to do a directed DOS at your SSH
service (due to the unlimited connection problem).  SYN flood (which is
merely another form of DOS attack) would only make sense if SSH is the
only TCP port allowed to reach this machine.

So, who would want to prevent you from logging in via SSH, or otherwise
disabling this machine? If it's a SYN flood, is this machine trusted by
some other machine, such that spoofing the 'attacked' machine would be
useful? (See Northcutt's book on how this works)

Jeff Carter
Interware, Inc.
jeffc () shore net

Current thread:

Re: MASSIVE ssh attack attempt Alberto Soliño (Feb 16)
- <Possible follow-ups>
- Re: MASSIVE ssh attack attempt Jeffrey D. Carter (Feb 23)
- Re: MASSIVE ssh attack attempt Iván Arce (Feb 24)
- Re: MASSIVE ssh attack attempt Alberto Soliño (Feb 25)