Network Security: Detailed info on Re: Weird SSH attack last night and this morning (still ongoing)

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Incidents

[Top] [All Lists]

Re: Weird SSH attack last night and this morning (still ongoing)

from [Valdis . Kletnieks] Network Security

[Permanent Link]

Subject:	Re: Weird SSH attack last night and this morning (still ongoing)
Date:	Wed, 07 May 2008 14:17:19 -0400

On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:

When I saw this hitting my servers last night I thought it an odd attack
pattern but surmised it was either a targeted slow attack with spoofed IP's


Unless your operating system is *very* broken and doesn't do RFC1948 
randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back).  If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)

pgpfgCiFg8QPe.pgp
Description: PGP signature

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Weird SSH attack last night and this morning (still ongoing), Gary Baribault Re: Weird SSH attack last night and this morning (still ongoing), Robert Taylor RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll Re: Weird SSH attack last night and this morning (still ongoing), Robert Taylor RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll Re: Weird SSH attack last night and this morning (still ongoing), Blaine Fleming Message not available Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault Re: Weird SSH attack last night and this morning (still ongoing), Bartholomew Mallio RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll Message not available Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault Re: Weird SSH attack last night and this morning (still ongoing), Valdis . Kletnieks <= Re: Weird SSH attack last night and this morning (still ongoing), bugtraq Message not available Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault Re: Weird SSH attack last night and this morning (still ongoing), Brent Kearney Re: Weird SSH attack last night and this morning (still ongoing), Mick Pollard Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault Re: Weird SSH attack last night and this morning (still ongoing), Valdis . Kletnieks Message not available Re: Weird SSH attack last night and this morning (still ongoing), Valdis . Kletnieks Message not available Re: Weird SSH attack last night and this morning (still ongoing), Valdis . Kletnieks

Previous by Date:	Re: Weird SSH attack last night and this morning (still ongoing), Bartholomew Mallio
Next by Date:	RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll
Previous by Thread:	Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault
Next by Thread:	Re: Weird SSH attack last night and this morning (still ongoing), bugtraq
Indexes:	[Date] [Thread] [Top] [All Lists]