[Dshield] Concerning ssh brute force attacks: Are the IP adresses spoofed?

Chandan chandanasha at gmail.com
Mon Aug 22 05:02:26 GMT 2005


Hi,

To find out the exact information use Traceroute command to find the
route of ip address  and you can conclude that wether ip is spoofed or
not. and hping command to find out the sequesnce no packets.


Regards
Chandan

On 7/5/05, Sven Marten Czerwonka <sven.marten.czerwonka at gmx.de> wrote:
> Hi everyone,
> I'm seeing lots of attempts to ssh into my server in my logs using
> nonexisting users (about once all three hours from a new IP). The
> mashine does not accept any password logins (private/public key only)
> and moving from port 22 is not an option. I have a script set up that
> forwards the logs to the abuse adress of the concerning IP and also
> reports to dshield. Sometimes I try a nslookup of the IP. The last
> attacks seemed to originate from domains in Europe and when I reported
> it to the webmasters/abuse-adresses, the webmasters responded, that the
> checked their servers and are positive about the traffic not originating
> from their mashines.
> 
> So I liked to know: Is there a way to confirm the origin of the packets
> (not for the old ones, but the next attack certainly comes)? Or do you
> know if the addresses are spoofed? And if they are, where's the sence in
> that? If they are spoofed, does forwarding the logs to the abuse
> adresses and dshield make any sence anymore?
> 
> --
> Sven Marten Czerwonka
> Steenbeker Weg 14
> 24106 Kiel
> Germany
> --- http://washbear.dyndns.org ---
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list