Distributed SSH attack

[Andresen, Jason R.]

>-----Original Message-----
>From: owner-freebsd-hackers at freebsd.org [mailto:owner-freebsd-
>hackers at freebsd.org] On Behalf Of Xin LI
>Sent: Sunday, October 04, 2009 4:35 AM
>To: Daniel O'Connor
>Cc: jruohonen at iki.fi; freebsd-hackers at freebsd.org; krad
>Subject: Re: Distributed SSH attack
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Daniel O'Connor wrote:
>> On Sat, 3 Oct 2009, krad wrote:
>>> simplest this to do is disable password auth, and use key based.
>>
>> Your logs are still full of crap though.
>>
>> I find sshguard works well, and I am fairly sure you couldn't spoof a
>> valid TCP connection through pf sanitising so it would be difficult
>> (nigh-impossible?) for someone to cause you to block a legit IP.
>>
>> If you can, changing the port sshd runs on is by far the simplest work
>> around. Galling as it is to have to change stuff to work around
>> malicious assholes..
>
>Believe it or not, I find this pf.conf rule very effective to mitigate
>this type of distributed SSH botnet attack:
>
>block in quick proto tcp from any os "Linux" to any port ssh

How does that work?  Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through?  

Also, if you have a mix of Linux and FreeBSD boxes, presumably this would not be a great idea right?  It's not just getting people who are faking it?  

>From what I've seen on this attack, it looks like the hosts just send random logins to random IP addresses constantly, so adding an IP address to a blackhole list isn't as effective because you'll be getting hits from thousands of IP addresses, but only a single hit.  In fact it looks like this attack is specifically designed to defeat the "I'll add the attacker's IP address to a black hole list" strategy, by coming in on a different address every time.