What is this Very Stupid DOS Attack Script?

Wed, 06 Apr 2005 08:49:52 -0700 

        We have been noticing flurries of sshd reject messages in
which some system out there in the hinterlands hits us with a flood of
ssh login attempts.  An example:

Apr  6 05:41:51 dc sshd[88763]: Did not receive identification
        string from 67.19.58.170
Apr  6 05:49:42 dc sshd[12389]: input_userauth_request: illegal
        user anonymous
Apr  6 05:49:42 dc sshd[12389]: Failed password for illegal user
        anonymous from 67.19.58.170 port 32942 ssh2
Apr  6 05:49:42 dc sshd[12389]: Received disconnect from
        67.19.58.170: 11: Bye Bye
Apr  6 05:49:42 dc sshd[12406]: input_userauth_request: illegal
        user bruce
Apr  6 05:49:42 dc sshd[12406]: Failed password for illegal user
        bruce from 67.19.58.170 port 32983 ssh2
Apr  6 05:49:42 dc sshd[12406]: Received disconnect from
        67.19.58.170: 11: Bye Bye
Apr  6 05:49:42 dc sshd[12422]: input_userauth_request: illegal
        user chuck

        You get the idea.  This goes on for 3 or 4 minutes and then
just stops for now.  I can almost promise that later, another attack
will start from some other IP address and blaze away for a few
minutes.

        Other than spewing lots of entries in to syslog, what is the
purpose of the attack?  Are they just hoping to luck in to an open
account?  The odds of guessing the right account name and then guessing
the correct password are astronomical to say the least.
Direct root logins are not possible so there is another roadblock.

        This seems on the surface to be aimed at simply filling up the /var
file system, but it is so stupid as to make me wonder if there is
something else more sophisticated that we truly need to be trembling
in our shoes over.

        I notice from the syslog servers, here, that the same system
is hammering other sshd applications on those devices at the same time
it is hitting this system so what ever script it is is probably just
trolling our network, looking for anything that answers.

        Thanks for any useful information as to the nature of what
appears to be more of a nuisance than a diabolical threat to security.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to