« March 2008 · September 2008 · September 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 20.07.2008: The Website for the President of Georgia Under Attack - Politically Motivated?
- 18.07.2008: SQL Injection List Format Update
- 05.07.2008: SQL Injection, Redirects and Drive-By Downloads, Oh My...
- 26.06.2008: FIRST Conference - Vancouver, Canada
- 24.06.2008: FIRST Conference - Vancouver, Canada
- 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
- 27.05.2008: When Adobe Flash Attacks
- 23.05.2008: AUS-CERT Conference - Gold Coast, Australia
- 14.05.2008: Full list of Injected Sites
- 13.05.2008: SQL Injection: The Game
- 07.05.2008: New SQL Injection Attacks and New Malware: winzipices.cn
Thursday, 18 September 2008
Geographically Identifying SSH Brute Force Attacks
Earlier this week the SANS Internet Storm Center (ISC) posted a diary related to SSH brute force password cracking. In this post they mention a tool called "BruteForceBlocker" by Daniel Geržo. BruteForecBlocker is a perl script that works with syslog entries (specifically looking at failed sshd attempts) and the pf firewall to block IPs attempting SSH brute force attacks. I haven't personally used the script, but I have heard good things. The diary also mentions that Daniel maintains a blacklist of IP addresses involved in brute force SSH login attempts and that it has been very reliable and accurate.
I decided to do a test for myself and grabbed a few IP addresses that had hit one of my servers over the last few weeks. All five of the IP addresses I checked were on the list. It seems it's a good list to compare notes with and potentially use for putting in blocks. Chances are any IP address on this list is compromised and actively attacking. Of course any of the hosts could be cleaned up and fixed at any time and still be listed -- that's why there's a "Last Reported" field.
In any event, I found this data to be quite interesting and decided to play with it some and see who the attackers were. I first ran this through our server to get the ASN information for each IP address. There are certainly some interesting hosts on the list. That aside I was also curious to get some statistics on where all the attack were coming from -- geographically.
If you ever wondered what countries were doing the most SSH brute force attacking, then wonder no more! Here is what we found out using just the data available on Daniel's website.
Brute Force Attacks by Country:
Top Countries (by # of attacking IPs):
CN 415
US 340
BR 152
DE 147
KR 121
IT 96
PL 71
FR 69
TW 62
ES 61
IN 61
RU 57
JP 55
CO 52
UK 39
CA 36
CZ 35
MX 33
AT 32
AR 31
CL 29
NL 29
HK 28
AU 25
HU 25
MY 24
ZA 22
UA 21
RO 20
As you can see China and the United States are the top two source countries by a large margin, with Brazil, Germany, and Korea rounding out the top five. A total of 95 countries appear on the list and the number of attacks slowly decrease as we reach the bottom of it.
The Data
If you are interested in the data, then feel free to take a look at the links below.
Attach:ip2asn.txt - IP addresses with ASN information.
Attach:GeoCount.txt - Full list of countries with attacking IP count.
In Conclusion
The data is certainly interesting, however, we aren't going to be drawing any real conclusions from it. We only have this limited data which you also have and are welcome to draw your own conclusions from. Missing from all this is how many IPs the hosts attacks, how many different attempts they make, or for how long they have been attacking. If you have any feedback or comments, please feel free to shoot us an e-mail.
=>Posted September, 17 2008, at 8:32 PM by Steven Adair
NSP-SEC Conference - Rotterdam, Netherlands
Freed0 should be in attendance.
=>Posted July 12, 2008, at 12:58 PM by freed0
