Low, slow, distributed SSH username brute forcing

Koos writes in with some logs of distributed SSH scanning with the following characteristics.  Usernames are being brute forced starting at "aaa" and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour.

Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked.


112 Posts
Oct 2nd 2008
I've seen it aswell. The clients connecting are obviously the leaves of some kind of botnet. Those nets should be mapped and monitored. Is there anybody who has a setup to collect and consolidate the data ?

1 Posts
you might check the shadowserver folks -- they might have something cooking
These folks are tracking SSH attackers: http://stats.denyhosts.net/stats.html

112 Posts

Sign Up for Free or Log In to start participating in the conversation!