Last Updated: 2008-02-29 22:58:44 UTC
by donald smith (Version: 2)
A contributor (Ben) wrote in with an unusually dense distributed ssh scan.
“We noticed an interesting ssh probe attempt today.
In order to prevent iptables blocking based on the number of probes per
minute, each address in an entire Class C block generated only one or
two probes SSH each. These probes all came from 18.104.22.168/24”
Based on the information Ben shared with us it appeared to come from
most of the ips in a /24 cidr block. The last octet is fairly random.
There is some clustering such as a "run" of 200's but that could still
be psuedo random. So who owns that cidr block?
Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 22.214.171.124 -126.96.36.199
descr: Maxnet, Internet Service Provider, Bangkok
descr: under management by TT&T co,.ltd Thailand
address: 252/30 Muang Thai Phatra Complex Tower 1, 22nd Fl., Ratchadaphisek
Rd.,Huaykwang, Bangkok 10320 Thailand
changed: email@example.com 20060410
Traceroute shows them near singapore so Thailand is reasonable.
Tracing route to mx-ll-58.147.10-115.tttmaxnet.com [188.8.131.52]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms 192.168.0.1
13 332 ms 334 ms 336 ms ix-2-1-1.core1.S9R-Singapore.Teleglobe.net [184.108.40.206]
14 353 ms 356 ms 512 ms mx-ll-58.147.0-45.tttmaxnet.com [220.127.116.11]
15 393 ms 368 ms 334 ms mx-ll-58.147.0-61.tttmaxnet.com [18.104.22.168]
16 337 ms 339 ms 339 ms mx-ll-58.147.0-85.tttmaxnet.com [22.214.171.124]
17 341 ms 340 ms 338 ms mx-ll-58.147.0-21.tttmaxnet.com [126.96.36.199]
18 mx-ll-58.147.4-118.tttmaxnet.com [188.8.131.52] reports: Destination host
I seem to be the handler who gets the distributed ssh scan reports.
I wrote a diary about a some seen last year that appeared to be
distributed and coordinated (share a dictionary across multiple hosts)
Jim Owens and Jeanna Matthews of Clarkson Univ. reported on a similar,
though somewhat cruder attack in a paper they recently submitted to Usenix LEET '08.