[Dshield] Concerning ssh brute force attacks: Are the IP adresses spoofed?

Kevin kkadow at gmail.com
Wed Aug 24 06:56:57 GMT 2005

On 8/22/05, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Mon, 22 Aug 2005 10:32:26 +0530, Chandan said:
> > To find out the exact information use Traceroute command to find the
> > route of ip address  and you can conclude that wether ip is spoofed or
> > not. and hping command to find out the sequesnce no packets.
> Umm. No.  It's not rare at all for me to see a SYN/ACK packet show up at my
> laptop in response to a SYN that I didn't send.  It's called "backscatter".

Backscatter is interesting, but the backscatter SYN/ACK packet you see
isn't making it to the guy who spoofed the original SYN, so he is unable
to bring up a TCP session to the target and try a dictionary attack.

> If you traceroute to my laptop, you'll find out *A* path from your site to my
> laptop (note that traceroute *can* get it wrong if there's an asymmetric path
> or a routing flap).  That doesn't mean that the original problem packet wasn't
> launched by a machine in Poland or someplace.

It's trivially easy to *transmit* spoofed packets.

It's much much more difficult to receive the *replies* to those packets,
and extremely difficult to intercept the replies to packets spoofed
to appear from a machine that is currently also active on the Internet;
you pretty much have to be (or own) the ISP of either the source or target
of your spoofed attack.

For the problem discussed by the OP, the attack must be able to see the
replies to successfully complete a TCP three-way-handshake and attempt a
brute force login attempt on a SSH server.  In that case, traceroute (if
executed at the time of the attack) shows the target the most likely
path reply packets take back towards the source of the requests.

>Chandan wrote:
>> The last attacks seemed to originate from domains in Europe
>> and  when I reported it to the webmasters/abuse-addresses, 
>> the webmasters responded, that the  checked their servers and
>> are positive about the traffic not originating from their machines.

In declining order of likelihood:

1) Their servers are compromised, the webmaster is in denial.
2) The "webmaster is actually the attacker.
3) Your machine is already hacked and the logs are spoofed :)
4) The source of the brute-force password attack against you was spoofed.

Kevin Kadow

(P.S. Spoofing traffic to appear to come from networks which are
*not* currently actively routed on the Internet is an animal of a
different color, and perhaps more a topic for NANOG than DSHIELD.)

More information about the list mailing list