Security Incidents mailing list archives
Re: MASSIVE ssh attack attempt
From: jeffc () SHORE NET (Jeffrey D. Carter)
Date: Wed, 23 Feb 2000 12:03:36 -0500
Automatic digest processor <LISTSERV () lists securityfocus com> writes:
-------------------------------------------------------------------------<
| Date: Fri, 18 Feb 2000 15:15:03 -0800 | From: Robert Graham <Robert.Graham () NETWORKICE COM> | Subject: Re: MASSIVE ssh attack attempt | | PCanywhere uses UDP/22 rather than TCP/22. | | http://www.robertgraham.com/pubs/firewall-seen.html#port22 | | My guess this is just a massive sacan for the recent RSAREF bug. | | Rob.
-------------------------------------------------------------------------<
Since the targets appear to all be the same machine, it doesn't seem likely that this would be looking for the RSAREF problem. After all, if the first connect doesn't compromise the host, 2 through N won't either. Sounds more like some someone trying to do a directed DOS at your SSH service (due to the unlimited connection problem). SYN flood (which is merely another form of DOS attack) would only make sense if SSH is the only TCP port allowed to reach this machine. So, who would want to prevent you from logging in via SSH, or otherwise disabling this machine? If it's a SYN flood, is this machine trusted by some other machine, such that spoofing the 'attacked' machine would be useful? (See Northcutt's book on how this works) Jeff Carter Interware, Inc. jeffc () shore net
Current thread:
- Re: MASSIVE ssh attack attempt Alberto Soliño (Feb 16)
- <Possible follow-ups>
- Re: MASSIVE ssh attack attempt Jeffrey D. Carter (Feb 23)
- Re: MASSIVE ssh attack attempt Iván Arce (Feb 24)
- Re: MASSIVE ssh attack attempt Alberto Soliño (Feb 25)