[nsp-sec] Sudden jump in ssh slow-scan activity

Joel Rosenblatt joel at columbia.edu
Mon Jan 18 13:46:33 EST 2010 

Hi Kevin,

Yes, the edu list has been buzzing with this for the last 2 days .. 2500+ unique sources have been seen in several places .. you are not alone.

We saw 1600+ unique attacks last night.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Monday, January 18, 2010 9:38 AM -0800 Kevin Oberman <oberman at es.net> wrote:

> ----------- nsp-security Confidential --------
>
> After a long quiet period, either because there were no attempts or
> because all of the bots involved had been blocked at our edge, we
> started seeing a very heavy attack on our systems on Saturday. We have
> seen the probes from over 2000 source IPs (all reported to Cymru for
> daily reports). While the number of attempts for most user names is
> small, usually between 5 and 10, 'root' gets hundreds of attempts, none
> of which will ever work since we don't allow ssh to root (nor does
> OpenSSH, by default).
>
> I assume that we are not alone in being subject to these attacks. Are
> others seeing them?
> --
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: oberman at es.net			Phone: +1 510 486-8634
> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list