Brute Force Attack Report

This report identifies hosts that have been observed performing brute force attacks, using SISSDEN’s network of honeypots.

One of these honeypot type sensors is dedicated to detecting SSH and telnet attacks against network devices. These attacks typically involve brute-forcing credentials to obtain access.

Once access has been obtained, the devices are used for other attacks, which may involve installing malicious software that enables the device to function as part of a botnet. For example, the well-known Mirai botnets were used in this way to launch DDoS attacks.

Hacked devices may also be used to launch scans on other vulnerable Internet devices. In still other cases, using brute force to breach networking devices may enable a criminal to attempt financial theft. By inserting rogue DNS server entries into a home router’s network configuration, they can redirect user traffic to malicious webpages, making phishing attacks on the home network user.

When we detect brute force attacks, our system reports them to the owners of the network from which the attacks originate, or to the National CERTs responsible for that network.

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Time that the attack was performed in UTC+0
  • ip
    The IP address performing the attack
  • port
    The source port used in the attack
  • asn
    ASN announcing the attacking IP
  • geo
    Country where the attacking IP resides
  • region
    State / Province / Administrative region where the attacking IP resides
  • city
    ASN of where the attacking IP resides
  • hostname
    PTR record of the attacking IP
  • dest_ip
    Country where the device in question resides
  • dest_port
    Destination port used in the attack
  • dest_asn
    ASN announcing the target IP
  • dest_geo
    Country where the target IP resides
  • dest_dns
    FQDN of the target, if applicable and recorded
  • service
    The type of service that was attacked, i.e. SSH, RDP, Telnet, etc
  • naics
    North American Industry Classification System Code of the attacking IP
  • sic
    Standard Industrial Classification System Code of the attacking IP
  • dest_naics
    North American Industry Classification System Code of the target IP
  • dest_sic
    Standard Industrial Classification System Code of the target IP
  • sector
    Sector to which the attacking IP belongs
  • dest_sector
    Sector to which the target IP belongs
  • public_source
    Source of the data, for cases where the source accepts being credited
  • start_time
    Timestamp of last activity seen in the attack
  • end_time
    Timestamp of last activity seen in the attack
  • client_version
    The version string served by the attacker, if applicable and recorded
  • username
    The first username that was attempted, if recorded
  • password
    The first password that was attempted, if recorded
  • payload_url
    If a payload was downloaded onto the target, the URL where the payload was downloaded from, if recorded
  • payload_md5
    The md5sum of the payload downloaded onto the target, if recorded.

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","dest_ip","dest_port","dest_asn","dest_geo","dest_dns","service","naics","sic","dest_naics","dest_sic","sector","dest_sector","public_source","start_time","end_time","client_version","username","password","payload_url","payload_md5"
"2017-04-27 00:00:06","185.38.148.3",4428,200039,"UK","BRISTOL","BRISTOL","3.148.38.185.dedicated.zare.com","158.255.215.199",22,39326,"FR",,"ssh",0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:00:06.971212Z","2017-04-27T00:00:07.946253Z","SSH-2.0-paramiko_2.1.2",,,,
"2017-04-27 00:00:55","200.175.184.148",16503,18881,"BR","DISTRITO FEDERAL","BRASILIA","200.175.184.148.dynamic.dialup.gvt.net.br","5.28.63.131",22,35425,"UK",,"ssh",0,0,0,0,,,"SISSDEN","2017-04-27T00:00:55.344307Z","2017-04-27T00:01:04.196272Z","SSH-2.0-libssh2_1.7.0","operator","operator",,
"2017-04-27 00:01:45","186.52.245.178",32941,6057,"UY","MONTEVIDEO","MONTEVIDEO","r186-52-245-178.dialup.adsl.anteldata.net.uy","5.28.63.131",2223,35425,"UK",,,0,0,0,0,,,"SISSDEN","2017-04-27T00:01:45.602193Z","2017-04-27T00:03:30.883850Z",,"admin","password",,
"2017-04-27 00:05:45","77.126.141.114",56133,9116,"IL","HAMERKAZ","KEFAR SAVA",,"158.255.215.199",2223,39326,"FR",,,0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:05:45.934820Z","2017-04-27T00:05:49.645513Z",,,,,
"2017-04-27 00:07:34","212.3.34.144",53558,39155,"ES","GRANADA","FUENTE CAMACHO","212-3-34-144.jetnet.es","5.28.63.131",2223,35425,"UK",,,0,0,0,0,,,"SISSDEN","2017-04-27T00:07:34.986231Z","2017-04-27T00:07:45.124409Z",,,,,
"2017-04-27 00:09:55","180.169.17.83",58809,4812,"CN","SHANGHAI","SHANGHAI",,"37.235.56.119",22,57169,"AT",,"ssh",0,0,0,0,"Communications",,"SISSDEN","2017-04-27T00:09:55.571712Z","2017-04-27T00:09:58.888294Z","SSH-2.0-sshlib-0.1",,,,
"2017-04-27 00:13:31","197.46.62.186",56735,8452,"EG","AL QAHIRAH","CAIRO","host-197.46.62.186.tedata.net","158.255.215.199",2223,39326,"FR",,,0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:13:31.036802Z","2017-04-27T00:13:35.144108Z",,,,,
"2017-04-27 00:14:56","84.172.148.54",3316,3320,"DE","BADEN-WURTTEMBERG","SCHRIESHEIM","p54AC9436.dip0.t-ipconnect.de","37.235.56.119",22,57169,"AT",,"ssh",541690,874899,0,0,,,"SISSDEN","2017-04-27T00:14:56.303344Z","2017-04-27T00:15:28.185185Z","SSH-2.0-sshlib-0.1","admin",12345,,
"2017-04-27 00:16:29","171.231.155.225",56158,7552,"VN","BINH DINH","QUI NHON",,"5.28.63.131",22,35425,"UK",,"ssh",0,0,0,0,"Communications",,"SISSDEN","2017-04-27T00:16:29.168579Z","2017-04-27T00:18:29.170243Z","SSH-2.0-Granados-1.0","admin","admin",,

Our 76 Report Types