Distributed SSH attack

Xin LI delphij at delphij.net
Wed Oct 7 22:04:52 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Anderesen,

Andresen, Jason R. wrote:
[...]
>> Believe it or not, I find this pf.conf rule very effective to mitigate
>> this type of distributed SSH botnet attack:
>>
>> block in quick proto tcp from any os "Linux" to any port ssh
> 
> How does that work?  Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through?  

Well, this would have pros and cons.  pf employs a "fingerprint"
mechanism that would passively detect the operating system based on some
predefined criteria, and the "Linux" matches several old Linux kernel's
TCP fingerprint.

Note that with some tweaks to Linux's TCP parameters, or newer Linux
kernels, this can be bypassed.  However, if the administrator choose to
do this, it's not quite likely that their boxes would be part of the botnet.

> Also, if you have a mix of Linux and FreeBSD boxes, presumably this
> would not be a great idea right?  It's not just getting people who
> are faking it?

Yes and no.  Attackers would adopt to whatever defenders trying to stop
them, however, for this type of attack (note that blocking Linux from
being able to SSH on one system does not mean you would be more safe, it
just mitigate the excessive login issue), what the attacker wanted is to
have more botnet boxes, and he or she wouldn't care about having 1 more
FreeBSD system be there or not, at the expense of faking or tweaking the
TCP stack.

>> From what I've seen on this attack, it looks like the hosts just
>> send random logins to random IP addresses constantly, so adding an
>> IP address to a blackhole list isn't as effective because you'll be
>> getting hits from thousands of IP addresses, but only a single hit.
>> In fact it looks like this attack is specifically designed to
>> defeat the "I'll add the attacker's IP address to a black hole
>> list" strategy, by coming in on a different address every time.

Yes that's right.  Since the scan is being done over a large scale of IP
address space, it's possible to hide yourself by blocking Linux logins,
since these boxes are usually managed by neglecting administrators and
tends not to apply security updates from time to time.

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkrNEHkACgkQi+vbBBjt66BFxACfbfrUJnnVM9YGw6bVSo5hnfnO
BwwAoKFf8DnRd3suCIYMGhZN6FqlTPrP
=NwHo
-----END PGP SIGNATURE-----

More information about the freebsd-hackers mailing list