[nsp-sec] lists of IPs (and ASNs) for SSH scanning and brute force

Russell Fulton r.fulton at auckland.ac.nz
Sat Oct 29 22:34:32 EDT 2011 

A bleated followup on this one.

It turns out that the scan data (as opposed to the brute force data) IP posted is unreliable.  Thanks to 
Donald Smith <Donald.Smith at CenturyLink.com> for querying this.

Donald sent me a list of IPs that I had fingered that his data did not support as being scanners.  When I checked my flow data and looked at the snort alerts I saw that all the were 'scanning' the same IP on our network and that IP was the public face of our student wireless network (NATted).   When I looked at destination stats for the snort alerts this IP was an order of magnitude higher than anything else.  

Flow data revealed that, we were seeing two TCP connection attempts very close together and this is enough to trigger the standard snort rule for ssh scans.  Flow data also showed packet to UDP 22 too.   I conclude that is is nothing to do with SSH and is most likely one of the P2P protocols.  

The timeouts on the tcp connection attempts are very short and these connection keep repeating several times an hour making it look like a scan if you don't look too closely :(

I have adjusted the number of SYN packets needed to trip the signature up to 8 (from 5) in a 120 interval and will examine thing carefully before posting any more data.

Apologies for the confusion and inconvenience.

Russell



On 23/10/2011, at 12:26 PM, Russell Fulton wrote:

> ----------- nsp-security Confidential --------
> 
> 
> scan file alerts on SYN packets and the brute file on connected session…
> 
> <sshscan><sshbrute>
> 
> 
> Times 
> 
> Russell Fulton
> 
> Information Security Officer, The University of Auckland
> New Zealand
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list