SSH Brute Force Attack Source Insight

The Dragon Research Group maintains a network of machines we affectionately call "Pods". These Pods run a custom-built and hardened *nix distro which listens on several ports, one such port is 22/TCP SSH. We see a fair amount of brute force password attacks every day against this port; about 36,000 guesses per day on average. We decided to take a deeper look at the attack data, because, well, that's what we do here.

The sample of data used in this study is from a recent 30 day period. It is important to note that this dataset is a very small sample of global Internet IP address space and may not be representative of a more complete global Internet picture. During this time period we saw...

  • About 3,400 attacks
  • Over 1,000,000 (one million) pwauth guesses, about 300 per attack
  • 1,485 unique attacker IP addresses from 532 different AS numbers

We took the unique IP attacker addresses and compared it with a database of some 129,000 malicious domains and IP addresses; we found some interesting correlations.

Top Attacking Nets are Consumer ISPs?
Top attacking networks appear to be ISPs who sell to consumers. It's likely that these are zombie bots (infected machines participating in botnets).

Top 10 ASNs by Hit Count

Attacking Nets Full of Badness
Correlation to the mal-data shows that some of these networks are full of "badness". The top 10 networks from our SSH attack data are also home for 3,582 malicious domains, or approximately 10% of the malicious domains we have listed. Meaning they not only host attack machines but websites that serve malware, rogueware, phishing sites, etc. Some of the ISPs are rather large which would propel them higher on the list, we did not do any type of ratio comparison of unique IPs seen versus total allocated to the AS number.

TYPES : trojans, droppers, rootkits, C&C, phishing sites, redirectors
DELIVERY / EXPLOITATION : 0-day exploits, fake anti-virus, fake Microsoft updates, fake videos, fake pics, fake codec, mass SQL injection attack
MALWARE NAMES : Bredolab, Conficker, Wsnpoem, ZeuS, Zbot, Waledac, Gumblar, Koobface, Russkill, SpyEye, Virut, Asprox, Mebroot, TDSS, Cutwail, KillAV, TDSS, Swisyn, Rustock, InfoStealer
BRANDS ATTACKED : U.S. Govt. CDC, Facebook, President Obama, Microsoft, US Govt. IRS, MySpace, Twitter, HSBC
EXPLOITS : Windows, MS RealPlayer, PDF, IE, 0-days, (Eleonore, Phoenix, Fragus, Liberty, Yes, LuckySploit, Fragus, Krap)

Maldata Keyword Counts

Top AS = Top Source of Mal-Data
#1 AS number on the SSH hits list matches #3 on the mal-data list, accounting for 2,181 mal-domains: CHINANET-BACKBONE No.31Jin-rong Street. According to the CIDR Report (CIDR Report Listing for AS 4134) this ASN is huge, accounting for some 100 million IP addresses, so that could in part account for the large number in our report.

  • Domains injected into SQL servers during SQL injection attack.
  • Domains used in various phishing spam and malware attacks.
  • Exploits for Windows, PDFs.
  • Malware distribution and C&C for ZeuS, Wsnpoem, Zbot, Bredolab, SpyEye, Koobface, Waledac, Russkill.
  • Fake videos, fake anti-virus software, flash.

Top Attacking Country = China
Top attacking country by IP location: China, accounting for roughly 21% of all unique IPs. Next is the US with 13%. Incidentally, Russia and Ukraine, known to host their fair share of malware, miss the top 10 ranking coming in as 12th and 13th respectively.

Top 10 Country by Unique IP address

posted at 12:00 am | permanent link

About DRG

Apply to DRG

Host a DRG Distro Pod

Insight & Analysis


Weekend Reads


Security Innovation Grant

Mailing lists

DRG PGP public key

Follow us on Twitter Follow DragonResearch on Twitter

Feedback: dragon@dragonresearchgroup.org