[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Automatic abuse reports
Your right they wouldn't get all of the way through. The three way
handshake is great against blind spoofing attacks. That said the
original poster was focused on a DOS event,to do that you really don't
need the full handshake.
I'm not sure if the end goal of whomever we were dealing with was to
DOS us or if was some screwed up half open syn scans, or my personnel
guess it was to generate enough bogus log traffic to hide which
connections were legitimate threats. Either way enough inbound SYN
connections on port 22 would tip over the servers, this was LONG ago
circa 97~99, so the traffic we saw was an effective DOS.
We had inetd calling ssh and also telnet (Change comes slowly and
cyrpto was painful to implement for us at the time). In our setup inetd
decided to log the sessions both ssh and telnet as soon as the daemon
was called. So even if we didn't do the full session setup the machine
would still log an event for each tcp session.
In hindsight we could have cleaned it up so that it wouldn't log before
completing the handshake or tweaked the perl script to filter them out
but I was a newbie at that point and placing ACLs in my border router to
drop inbound ssh traffic that didn't come from netblocks I expected and
moving off of the default port were the easiest solutions at the time.
Now it would be trivial to setup syslog and sshd to give only the
sessions that complete the handshake, however I'm also not sure how
responsive some of the abuse contacts may be. I'll keep my restrictive
network settings for the time being.
Sam Moats
On 2013-11-12 20:43, William Herrin wrote:
> On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <sam at circlenet.us> wrote:
>> We used to use a small perl script called tattle that would parse
>> out the
>> /var/log/secure on our *nix boxes, isolate the inbound ssh exploits,
>> lookup
>> the proper abuse contacts and report them. I haven't seen anything
>> similar
>> in years but it would be interesting to do more than null route IPs.
>>
>> The problem we had with the automated reporting was dealing with
>> spoofed
>> sources, we see lots of traffic that is obviously hostile but unless
>> it
>> becomes serious enough to impact performance we rarely report it. An
>> automated system didn't seem to fit anymore due to false positives.
>
> Hi Sam,
>
> Out of curiosity -- how does one get a false positive on an ssh
> exploit attempt? Does the origin IP not have to complete a 3-way
> handshake before it can attempt an exploit?
>
> Regards,
> Bill Herrin