Low, slow, distributed SSH username brute forcing

Published: 2008-10-02
Last Updated: 2008-10-03 14:48:38 UTC
by Kyle Haugsness (Version: 2)
3 comment(s)

Koos writes in with some logs of distributed SSH scanning with the following characteristics.  Usernames are being brute forced starting at "aaa" and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour.

Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked.

Update: An anonymous reader at a university submitted logs that correlate very nicely to the above activity - it looks as if the scanning was occuring at the same time against both targets.  His logs covered 30 hours, with 600 login attempts from 184 unique IP addresses.  98 of the IP addresses match between both scans!  This scan showed the same characteristic in that the last character in the username was not being exhaustively enumerated - it still seems as if it was being incremented with a random offset.  Also, this was a larger dataset and I found that the middle letter in the username was not being exhaustively tested either (although it was very close to complete).  The final interesting point is that it appears the same username was being tested simultaneously against both targets, but it was from different source IP addresses.  So this tells us something about how the scanning computers are getting their "work packages".

3 comment(s)


I've seen it aswell. The clients connecting are obviously the leaves of some kind of botnet. Those nets should be mapped and monitored. Is there anybody who has a setup to collect and consolidate the data ?
you might check the shadowserver folks -- they might have something cooking
These folks are tracking SSH attackers: http://stats.denyhosts.net/stats.html

Diary Archives