[Dshield] SSH threats
dshield at oitc.com
Tue Oct 2 13:58:36 GMT 2007
The dirty little secret is that "dynamics" aren't usually unless they
dialups. rr.com charges extra for static IPs yet I have friends that
haven't had their "dynamic" IP changed in over 3 years. Yes, some
change a little faster and some actually have never changed.
Clearly you don't care about "scorching the earth" against bots
residing on static or nearly static zombied IPs since that's exactly
where the attack is coming from. So what are the "real" groups of IPs
you are concerned about blocking indiscriminately? These would seem
to be dialup blocks and proxies/overloads.
Clearly blocking the port being attacked (or most fixed services
ports) should not be a problem. Because port 80 has become so
ubiquitous providing multiple uses and tunnels for services, this
would seem to be an area of your concern. (As an aside this fact is
probably why "perimeter defense" provides only an emotional security
So the question has deconstructed to should we block port 80 based
upon threats on other ports? My answer is yes. Why? A machine that
has been rooted and it running a bot can attack via any vector. They
have been know to start against one port and switch to many others as
they get used for various purposes. This is reason enough to bock all
based upon a real attack against a specific port.
The next part of the question is what is my business risk that I
might block legitimate users. It is low because if you are being
attached by a legitimate user who is infected, you do want to block
them anyway for your own safety and security. So again deconstructing
the question, it becomes what is the probability that a legitimate
user will be sharing an IP with a bot that you have blocked due to
attacks? (Would this be a DOS directed a at specific user?) IMHO the
probability is near zero.
Fundamentally, this type of "attack" has such a low ROI that if a bot
master wanted to disrupt a server they would just perform a DDOS.
We have been blocking in our server firewalls based upon this
approach for almost 2 years and have never had an issue.
The real concern and one that we have looked at is what would happen
if the DenyHost distributed database becomes poisoned. However, large
scale poisoning can be detected and poisoning directed at a specific
remote entity is extremely unlikely although not zero. However,
given that probabilities of other risk vectors are much higher than
this and given the positive effect that this technique provides, I
see little risk in deploying in a general server environment.
The final question is what activity should be declared an attack? For
this I leave to another thread....
At 7:20 PM -0700 10/1/07, Tomas L. Byrnes wrote:
>How do you handle the "scorched earth" problem? Many attacking IPs are
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org
>> [mailto:list-bounces at lists.dshield.org] On Behalf Of Don Wilder
>> Sent: Monday, October 01, 2007 11:29 AM
>> To: General DShield Discussion List
>> Subject: Re: [Dshield] SSH threats
>> I use an iptables script setup that will add the ip address
>> of someone attempting to log into my servers with an invalid
>> name or any of the common services. The block list I have now
>> has grown pretty large from all the scans, but once in the
>> blocked list they get cut off from all services.
>> On 10/1/07, Tomas L. Byrnes <tomb at byrneit.net> wrote:
>> > What are your thoughts on running a block list derived from the
>> > denyhosts network data on your firewall?
>> > I guess that the block list could be polluted by someone using the
>> > injection technique across a large number of hosts, but how
>> likely is that?
>> > _________________________________________
>> > SANS Network Security 2007 in Las Vegas September 22-30. 39
>> > SANS top instructors. http://www.sans.org/info/9346
>> Don Wilder
> > Senior Analyst
>> Programming today is a race between software engineers
>> striving to build bigger and better idiot-proof programs, and
>> the Universe trying to produce bigger and better idiots. So
>> far, the Universe is winning.
>> SANS Network Security 2007 in Las Vegas September 22-30. 39
>> courses, SANS top instructors. http://www.sans.org/info/9346
>SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>SANS top instructors. http://www.sans.org/info/9346
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
More information about the list