What is this Very Stupid DOS Attack Script?

From: Martin McCormick (martin_at_dc.cis.okstate.edu)
Date: 04/06/05

  • Next message: Luiz Eduardo Roncato Cordeiro: "Re: What is this Very Stupid DOS Attack Script?" 
    To: freebsd-security@freebsd.org
Date: Wed, 06 Apr 2005 10:49:08 -0500

            We have been noticing flurries of sshd reject messages in
    which some system out there in the hinterlands hits us with a flood of
    ssh login attempts. An example:

    Apr 6 05:41:51 dc sshd[88763]: Did not receive identification
            string from 67.19.58.170
    Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal
            user anonymous
    Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user
            anonymous from 67.19.58.170 port 32942 ssh2
    Apr 6 05:49:42 dc sshd[12389]: Received disconnect from
            67.19.58.170: 11: Bye Bye
    Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal
            user bruce
    Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user
            bruce from 67.19.58.170 port 32983 ssh2
    Apr 6 05:49:42 dc sshd[12406]: Received disconnect from
            67.19.58.170: 11: Bye Bye
    Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal
            user chuck

            You get the idea. This goes on for 3 or 4 minutes and then
    just stops for now. I can almost promise that later, another attack
    will start from some other IP address and blaze away for a few
    minutes.

            Other than spewing lots of entries in to syslog, what is the
    purpose of the attack? Are they just hoping to luck in to an open
    account? The odds of guessing the right account name and then guessing
    the correct password are astronomical to say the least.
    Direct root logins are not possible so there is another roadblock.

            This seems on the surface to be aimed at simply filling up the /var
    file system, but it is so stupid as to make me wonder if there is
    something else more sophisticated that we truly need to be trembling
    in our shoes over.

            I notice from the syslog servers, here, that the same system
    is hammering other sshd applications on those devices at the same time
    it is hitting this system so what ever script it is is probably just
    trolling our network, looking for anything that answers.

            Thanks for any useful information as to the nature of what
    appears to be more of a nuisance than a diabolical threat to security.

    Martin McCormick WB5AGZ Stillwater, OK
    OSU Information Technology Division Network Operations Group
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Luiz Eduardo Roncato Cordeiro: "Re: What is this Very Stupid DOS Attack Script?"