ssh distributed dictionary attack... how many requests/sec?

[Hu]

Although improbable, one innocuous explanation for the routine pings is that the address you are currently using was previously assigned to some service that the peer was legitimately trying to monitor for liveness, such as to warn someone if an important server went down. That server surrendered the address. You got it. Now they're monitoring you instead. Their failure to abandon the task could be because they have been abandoned, and their attempts to alert someone that you are down (which you would appear to be, since you are refusing to send ICMP echo responses) are being ignored. I think an odd botnet is more likely, but I can't find a good explanation for why a botnet would monitor like that.

Those hostnames aren't particularly useful on their own. All it really tells us is that an AWS customer is running an AWS EC2 instance (usually a Linux VM) and sending you traffic. We know they're in different parts of the country. We can't tell from that whether the customer ran these machines for this purpose or if these are poorly secured VMs that have been compromised and abused for scanning. If you don't mind sending them a bit of return traffic, check each of those systems for whether you can connect on port 22. If yes, then they are probably not firewalled at all on port 22, and anyone anywhere could have attacked them and compromised them. If no, then either they were compromised through other means (say, a Wordpress blog hosted on the VM) or they were rented specifically to scan other hosts. You could also check to see if they offer service on 80 and 443, but if they do, it's hard to guess much about their intended use without probing more deeply than seems polite.

[eccerr0r]

I've owned this particular IP address for many years now (static) which does paint a big target on my machine as I suspect static IP machines are desirable for C&C centers. But not sure if this is the only reason for monitoring.

I agree the hostnames are not useful on their own, but was wondering if perhaps Google (nope, they would use their own machines) or Amazon itself is monitoring my machine for whatever reason. But more likely, yes, it's a customer or 0wn3d customer. All three of these machines are sending equivalent ICMP strings which means they may well be running the same code.

I'll need to go to an anonymous site and take a look at those machines. Will stop by a public library and see what's at those IP addresses to make sure I don't get unwanted attention.

If only I had vast bandwidth to take ICMP storms from any revenge attacks, I'd rather just check from my own IP addresses. But my network connection is so poor that if they actually got in and checked, my network connection would be very undesirable to their use they may just leave it and forget it... (They should already know my ping latency is not great obviously, since they've been pinging, but this didn't seem to faze them unfortunately.)

---

EDIT

---

I reverse looked-up some more of the hosts. Some were invalid in-arpa reverses, but I just noticed a bunch of them are

***.***.***.***.bc.googleusercontent.com

Mystery continues...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[ChrisJumper]

Just use a unusual Port for connecting to sshd and you have nearly zero success for attackers...

[axl]

[eccerr0r]

Yeah, 9022 was not a good choice (actually I had both setup, but they found 9022 too; I completely disabled it now)...
But no matter, the number of attacks has dropped down a lot due to active blocking, just curious about the ICMP echo requests now.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[axl]

[eccerr0r]

Well as I said as well, the number of attempts have dropped down enough that it doesn't matter, even at 22 which is what it is now. I much prefer it at 22 anyway.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[axl]

[eccerr0r]

Nope, though I do have a VPN system that I solely use to access my internal network. I mean active blocking as in -- I actively choose to block those machines that send attacks. Yes I still have port 22 open so I can connect from anywhere if need be as I cannot predict whether or not the network I'm connected to will pass port UDP or even tcp/1194 and especially >32000, but typically it will pass 22.

The alternate ssh port was in case I or my automatic blocking lock myself out. This is the worst case scenario.

Eventually this is a convenience vs bandwidth waste issue (note I did not say security). Again I don't see dictionary attacks succeeding but it is wasting network bandwidth. But having two ports open means two times the number of attempts going in.

Still has no correlation to the ICMPs.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[eccerr0r]

Oh nice. Very nice.

Someone started spam authentication through SMTP AUTH...
Only one IP address so far. iptables gone.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[e3k]

last time i checked with nmap all the attacker IPs had also sshd running. a solution would probably be to build your own dictionary and automatically connect to the attackers to shut them down or erase. (probably not so simple but maybe worth of trying)
_________________

Flux & Contemplation - Portrait of an Artist in Isolation

[eccerr0r]

There's some legal implications in doing that...

though at one point I did randomly telnet back to that machine with (obviously incorrect) requests indicating that their machine cold possibly be rootkitted and should be investigated, but with tcpwrappers no longer part of openssh I stopped (plus the increase of attacks and the non-proliferation policy due to bandwidth limits).
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

Even aside from the likely illegality of trying to reverse-hack them, it's not unheard of for an attacker to improve the security of a system after taking control of it, so that no one else hacks in and interferes with the first intruder. It's also possible that the offending bot was installed through some non-sshd weakness, like an insecure WordPress install, and that the sshd was already hardened enough that you would not be able to break in.

Probably the best you could hope for would be something like what eccerr0r describes, where you never actually breach the bot system, but you get the attention of the true administrator of that system and he/she intervenes to kill the bot and evict the intruder.

[e3k]

yes ignoring the bot by adding port knocking (as mentioned before) would be legal and probably more effective. on the other hand you could build a honey pot with a fake SSH (only auth sequence) which would store all the keys and passwords delivered. based on that you probably could do some statistics and deliver that to the authorities.ls
_________________

Flux & Contemplation - Portrait of an Artist in Isolation

[axl]

u guys brought up legality.

hack my system. delete my stuff. I'd be fine with that.

what I would NOT be fine with, is someone using my system to hack someone else.

Hu has a nostalgic and optimistic and naive kind of concept about good hackers. Well, maybe he doesn't. What he is referring to are tiger teams. Which is a thing. Or was a thing. Nowadays, not sure it's a thing anymore.

I feel like, the more bandwidth you have, the more uneasy you should feel about how that bandwidth is used. Much easier to try to prevent stuff, than try to explain later that it wasn't you.


And to the point of reporting stuff... I tried to report stuff. To the local police when the attacker was local. In Romania, they laughed in my face. Even though the attacker was in the same damn city. To my ISP. They don't care. To other entities. To the original ISP. To anyone that would listen. Nobody listens. Even when you provide logs and context and everything.

I feel like... it's still the wild wild west out there, but without the sheriff. Until you get "caught" for something that originated from your system and you didn't do. Then it's another story. And we're going back to the idea that prevention made more sense than repairing.


HONESTLY... there are times when I feel like shutting down everything... just because I need a good night sleep.

[eccerr0r]

How about copy your stuff and claim it for their own?
Like account numbers and passwords or novel research?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

I did not mean the attackers would secure the system for an altruistic purpose. I was referring to attackers who are purely self interested. They secured the system so that no other intruders would break in and interfere with the first intruder's use of the system.

Suppose that there exists a vulnerable system with plenty of bandwidth and CPU power. Attacker #1 breaks in, and wants to use it for bitcoin mining. Attacker #2, if he breaks in, will use the system to start sending spam. Spammers get reported more often than bitcoin miners, because lots of people receive the unwanted spam, but the only negative effect of the bitcoin miner is the increased load on the victim's system, so that is easier to miss. If the spam gets enough reports, the legitimate owner might examine the system and notice both intruders, then reclaim the system. Now no intruders have use of the system. Therefore, in a purely self interested sense, attacker #1 should harden the system against attacker #2, so that the system can be dedicated to bitcoin mining and not draw unwanted attention due to attacker #2 using it to send spam.

[axl]

[eccerr0r]

It was brought up because hackers are selfish likewise, they don't want to share "their loot" (i.e. YOUR computer) with competing hackers.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

axl: e3k suggested trying to "hack back." I noted that not only is such a thing likely illegal, but that selfish intruders may well have secured their bots against such attempts, for the specific purpose of keeping the bots in service to the intruders for as long as possible.

[axl]

Which, in my humble opinion leaves you with just one option. DO NOT GET HACKED.

Because every road past that, leads to disaster. I'm sorry. I can't take comfort in the idea that the hackers will secure my systems.


On the other hand, I really wish there were more "reporting" options. I would put in the work. I already mentioned that I tried to send mails to abuse@stuff. To this day, I never got a reply that leads me to believe it was effort well spent. And reporting to local authorities about hacking attempts from Russia or China or whatever seems like a lost cause.

Nobody cares. Which is a sad state of affairs. Nobody seems to care even when systems from the US or EU are involved. As proxies. I assume they are proxies. At this moment, I am under pressure on smtp with like 10-20 requests per second. From various ip's. Most don't repeat ever. It's scary how many they are. It will go on for 1-2 more days and it will stop for a number of weeks. Didn't yet figure out the pattern. But usually there's like 3-4 days of non-stop spamming, then pause for a couple of weeks. rinse and repeat.

I portscanned with nmap some of these ip's and it seems to me like a good portion of them are residential addresses. To their credit, most isp's do not give a reverse name. Therefor 80% of them end up with: Client host rejected: cannot find your reverse hostname. The rest are picked up by spamhaus or another rbl. postgrey or dkim or spamassassin or clam.

They can't even make a dent in the systems. From any point of view. not even like 1% cpu is spent just rejecting them. But it makes quite hard to read all other logs. The screen just scrolls like its' possessed. And it's having a significant psychological effect, believe it or not. I'm wonder what's so special about me that I deserve this kind of attention.


today was not a good day. my eye hurt. and the lines keep on scrolling, day 3. I'm hoping based on paste experiences that in a day or 2 it will be over.


PS I know spamming (or whatever - not sure what it is) and hacking are not exactly the same thing. But I don't know. Could be some phishing thing, or some ransomware thing, or just noise to make all other log lines fade in the background of all the noise. Even it's just 1% cpu, and 1% bandwidth, it just bothers me to no end. I lived in a dialup era. And it's wasted resources on NOTHING. Drives me mad. You can do things with ssh to hide it or whatever. You can't do that with smtp. Not if you want to receive mails. And WWW. That's were I feel most exposed. And like I said before, you can do geoblocking... but god damn... there are many hacked computers out there.

[Hu]

axl, are you in the same thread that the rest of us are? No one ever advocated hoping hackers would secure a system. I advocated not trying to "hack back" because it would probably be illegal, and probably not be useful even if you got away with it.

[axl]

[eccerr0r]

Oh yeah. Now this russian machine is sending me SMTP SASL AUTH requests every 3 minutes, dictionary style.
iptables-filtered.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[eccerr0r]

Other than the port 465 attacks, this is another strange behavior I see from the distributed attacks.

When I ban a specific host for connecting to ssh with bad credentials, the whole subnet/24 gets banned for all packets. I end up logging subsequent connection attempts.

However I note that though they continue to hammer port 22, I also see all sorts of other ports being connected to, not just 22 which was the initial infraction.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?