[nsp-sec] lists of IPs (and ASNs) for SSH scanning and brute force (Ack AS209 proxy Ack AS5778 )

Mon Oct 24 13:32:43 EDT 2011

I ran our set of IP addresses through netflow from the scanning report and only got a single hit which went TOWARDS one of our IP addresses towards port 22. Now that could have been a response to a scan but I would have expected a lot more port 22 traffic.
How did you validate the ssh scanning report vs the bruteforce report?

When packets collide the controllers cease transmission AND wait a random time before retransmission (mostly)!
Donald.Smith at CenturyLink.com

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Hicks, Howard
> Sent: Monday, October 24, 2011 9:19 AM
> To: 'Russell Fulton'; nsp-sec NSP
> Subject: Re: [nsp-sec] lists of IPs (and ASNs) for SSH scanning and
> brute force (Ack AS209 proxy Ack AS5778 )
>
> ----------- nsp-security Confidential --------
>
> Ack for AS209 & AS5778
> Thank you!
>
> 209     | 63.152.77.47     2011-10-22:05:50:01   2011-10-22:05:50:01
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 67.6.137.150     2011-10-22:05:38:55   2011-10-22:13:51:51
> 38 | ET SCAN Potential SSH Brute Force
> 209     | 67.128.170.45    2011-10-22:07:39:31   2011-10-22:07:45:24
> 14 | ET SCAN Potential SSH Brute Force
> 209     | 70.59.36.80      2011-10-22:07:42:41   2011-10-22:07:42:41
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 71.34.125.76     2011-10-22:03:22:47   2011-10-22:05:29:24
> 8 | ET SCAN Potential SSH Brute Force
> 209     | 71.208.5.65      2011-10-22:16:07:30   2011-10-22:16:14:49
> 16 | ET SCAN Potential SSH Brute Force
> 209     | 71.221.84.134    2011-10-22:08:33:02   2011-10-22:08:33:02
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 75.164.34.104    2011-10-22:12:26:32   2011-10-22:12:30:00
> 7 | ET SCAN Potential SSH Brute Force
> 209     | 75.169.182.186   2011-10-22:01:38:33   2011-10-22:01:38:33
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 97.112.185.36    2011-10-22:04:55:36   2011-10-22:07:40:10
> 6 | ET SCAN Potential SSH Brute Force
> 209     | 174.16.43.239    2011-10-21:18:42:05   2011-10-22:15:12:53
> 6 | ET SCAN Potential SSH Brute Force
> 209     | 174.17.98.147    2011-10-22:05:42:31   2011-10-22:05:42:31
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 174.17.205.113   2011-10-22:07:52:07   2011-10-22:07:52:07
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 174.31.32.242    2011-10-22:09:59:35   2011-10-22:09:59:35
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 174.31.34.223    2011-10-22:22:20:48   2011-10-22:22:20:48
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 184.97.15.115    2011-10-21:20:18:12   2011-10-21:20:18:12
> 1 | ET SCAN Potential SSH Brute Force
> 209     | 209.181.120.241  2011-10-21:21:54:03   2011-10-22:19:26:27
> 8 | ET SCAN Potential SSH Brute Force
>
>
>
> 5778    | 67.238.146.131   2011-10-22:07:34:50   2011-10-22:07:34:56
> 3 | ET SCAN Potential SSH Brute Force
> 5778    | 67.238.163.111   2011-10-21:18:49:09   2011-10-21:18:49:09
> 1 | ET SCAN Potential SSH Brute Force
> 5778    | 184.3.231.61     2011-10-22:03:54:00   2011-10-22:13:54:17
> 2 | ET SCAN Potential SSH Brute Force
>
> --
>
> Howard Hicks
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> > bounces at puck.nether.net] On Behalf Of Russell Fulton
> > Sent: Saturday, October 22, 2011 6:26 PM
> > To: nsp-sec NSP
> > Subject: [nsp-sec] lists of IPs (and ASNs) for SSH scanning and brute
> force
> >
> > ----------- nsp-security Confidential --------
>
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful.  If you have received this
> communication
> in error, please immediately notify the sender by reply e-mail and
> destroy
> all copies of the communication and any attachments.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.