[Dshield] SSH threats

Tom dshield at oitc.com
Tue Oct 2 13:58:36 GMT 2007


The dirty little secret is that "dynamics" aren't usually unless they 
dialups. rr.com charges extra for static IPs yet I have friends that 
haven't had their "dynamic" IP changed in over 3 years.  Yes, some 
change a little faster and some actually have never changed.

Clearly you don't care about "scorching the earth" against bots 
residing on static or nearly static zombied IPs since that's exactly 
where the attack is coming from. So what are the "real" groups of IPs 
you are concerned about blocking indiscriminately?  These would seem 
to be dialup blocks and proxies/overloads.

Clearly blocking the port being attacked (or most fixed services 
ports) should not be a problem. Because port 80 has become so 
ubiquitous providing multiple uses and tunnels for services, this 
would seem to be an area of your concern. (As an aside this fact is 
probably why "perimeter defense" provides only an emotional security 

So the question has deconstructed to should we block port 80 based 
upon threats on other ports?  My answer is yes. Why? A machine that 
has been rooted and it running a bot can attack via any vector. They 
have been know to start against one port and switch to many others as 
they get used for various purposes. This is reason enough to bock all 
based upon a real attack against a specific port.

The next part of the question is what is my business risk that I 
might block legitimate users.  It is low because if you are being 
attached by a legitimate user who is infected, you do want to block 
them anyway for your own safety and security. So again deconstructing 
the question, it becomes what is the probability that a legitimate 
user will be sharing an IP with a bot that you have blocked due to 
attacks? (Would this be a DOS directed a at specific user?) IMHO the 
probability is near zero.

Fundamentally, this type of "attack" has such a low ROI that if a bot 
master wanted to disrupt a server they would just perform a DDOS.

We have been blocking in our server firewalls based upon this 
approach for almost 2 years and have never had an issue.

The real concern and one that we have looked at is what would happen 
if the DenyHost distributed database becomes poisoned. However, large 
scale poisoning can be detected and poisoning directed at a specific 
remote entity is extremely unlikely although not zero.  However, 
given that probabilities of other risk vectors are much higher than 
this and given the positive effect that this technique provides, I 
see little risk in deploying in a general server environment.

The final question is what activity should be declared an attack? For 
this I leave to another thread....


At 7:20 PM -0700 10/1/07, Tomas L. Byrnes wrote:
>How do you handle the "scorched earth" problem? Many attacking IPs are
>>  -----Original Message-----
>>  From: list-bounces at lists.dshield.org
>>  [mailto:list-bounces at lists.dshield.org] On Behalf Of Don Wilder
>>  Sent: Monday, October 01, 2007 11:29 AM
>>  To: General DShield Discussion List
>>  Subject: Re: [Dshield] SSH threats
>>  I use an iptables script setup that will add the ip address
>>  of someone attempting to log into my servers with an invalid
>>  name or any of the common services. The block list I have now
>>  has grown pretty large from all the scans, but once in the
>>  blocked list they get cut off from all services.
>>  On 10/1/07, Tomas L. Byrnes <tomb at byrneit.net> wrote:
>>  >
>>  > What are your thoughts on running a block list derived from the
>>  > denyhosts network data on your firewall?
>>  >
>>  > I guess that the block list could be polluted by someone using the
>>  > injection technique across a large number of hosts, but how
>>  likely is that?
>>  >
>>  > _________________________________________
>>  > SANS Network Security 2007 in Las Vegas September 22-30. 39
>>  courses,
>>  > SANS top instructors.  http://www.sans.org/info/9346
>>  >
>>  --
>>  ---------------------------------------------
>>  Don Wilder
>  > Senior Analyst
>>  ---------------------------------------------
>>  Programming today is a race between software engineers
>>  striving to build bigger and better idiot-proof programs, and
>>  the Universe trying to produce bigger and better idiots. So
>>  far, the Universe is winning.
>>  _________________________________________
>>  SANS Network Security 2007 in Las Vegas September 22-30. 39
>>  courses, SANS top instructors.  http://www.sans.org/info/9346
>SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>SANS top instructors.  http://www.sans.org/info/9346


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com

More information about the list mailing list