Shadowserver Foundation - Calendar

« June 2008 · December 2008 · July 2010 »

31.10.2008: Conference Update - OWASP AppSec Asia 2008 - Taiwan
30.10.2008: Gimmiv, rocks, worms, and fuzziness
28.10.2008: OWASP AppSec Asia 2008 - Taiwan
27.10.2008: OWASP AppSec Asia 2008 - Taiwan
25.10.2008: Abuse Day - Helsinki, Finland
24.10.2008: Abuse Day - Helsinki, Finland
19.09.2008: NSP-SEC Conference - Rotterdam, Netherlands
18.09.2008: See below.
17.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
16.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
12.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
11.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
06.09.2008: Atrivo/InterCage - Malware Haven
05.09.2008: Shadowserver Bot Count Charts
13.08.2008: Georgian Attacks: Remember Estonia?
12.08.2008: Georgian Websites Under Attack - Don't Believe the Hype
11.08.2008: Georgian Websites Under Attack - DDoS and Defacement

Thursday, 18 September 2008

Geographically Identifying SSH Brute Force Attacks

Earlier this week the SANS Internet Storm Center (ISC) posted a diary related to SSH brute force password cracking. In this post they mention a tool called "BruteForceBlocker" by Daniel Geržo. BruteForecBlocker is a perl script that works with syslog entries (specifically looking at failed sshd attempts) and the pf firewall to block IPs attempting SSH brute force attacks. I haven't personally used the script, but I have heard good things. The diary also mentions that Daniel maintains a blacklist of IP addresses involved in brute force SSH login attempts and that it has been very reliable and accurate.

I decided to do a test for myself and grabbed a few IP addresses that had hit one of my servers over the last few weeks. All five of the IP addresses I checked were on the list. It seems it's a good list to compare notes with and potentially use for putting in blocks. Chances are any IP address on this list is compromised and actively attacking. Of course any of the hosts could be cleaned up and fixed at any time and still be listed -- that's why there's a "Last Reported" field.

In any event, I found this data to be quite interesting and decided to play with it some and see who the attackers were. I first ran this through our server to get the ASN information for each IP address. There are certainly some interesting hosts on the list. That aside I was also curious to get some statistics on where all the attack were coming from -- geographically.

If you ever wondered what countries were doing the most SSH brute force attacking, then wonder no more! Here is what we found out using just the data available on Daniel's website.

Brute Force Attacks by Country:

Top Countries (by # of attacking IPs):

As you can see China and the United States are the top two source countries by a large margin, with Brazil, Germany, and Korea rounding out the top five. A total of 95 countries appear on the list and the number of attacks slowly decrease as we reach the bottom of it.

The Data

If you are interested in the data, then feel free to take a look at the links below.

Attach:ip2asn.txt - IP addresses with ASN information.
Attach:GeoCount.txt - Full list of countries with attacking IP count.

In Conclusion

The data is certainly interesting, however, we aren't going to be drawing any real conclusions from it. We only have this limited data which you also have and are welcome to draw your own conclusions from. Missing from all this is how many IPs the hosts attacks, how many different attempts they make, or for how long they have been attacking. If you have any feedback or comments, please feel free to shoot us an e-mail.

=>Posted September, 17 2008, at 8:32 PM by Steven Adair

NSP-SEC Conference - Rotterdam, Netherlands

Freed0 should be in attendance.

=>Posted July 12, 2008, at 12:58 PM by freed0

2008-09-18

Thursday, 18 September 2008

NSP-SEC Conference - Rotterdam, Netherlands