Blocking attacks from spoofed IP addresses

Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.

I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.

Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?

--
Reverse the parts of the e-mail address to reply by mail.

On Wed, 30 Sep 2009 17:41:28 -0700, Marty <(E-Mail Removed)> wrote:

>Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>and is sending repeated SSH login attempts to my machine using spoofed
>IP addresses (making the consolidated attack appear to be coming from
>all over the world). I'm scrutinizing his packets, but I'm not sure how
>to find the "fingerprints" I need to filter them out.

Do you need to?
>
>I thought that the MAC address might be a good place to start looking,
>but all of the packets I see are coming from the MAC address of my cable
>modem.

There's no MAC addr for Internet packets, you may be able to correlate
TTL, but I don't see the point. I get SSH attempts quite frequently
from all over, but there's nothing listening on port 22 here.

> I'm not concerned about him getting in because he's attempting
>root logins and I disabled root logins through ssh, but I want to drop
>his nonsense traffic if I can, and also avoid any other attacks that
>might be coming from him which may have escaped my notice.

Do you need to allow _any_ SSH logins? If so why not bump them to
another port? That way you can leave 22 closed.
>
>Any ideas how I can dig deeper to find a common thread that I can use to
>filter his traffic?

I don't see the point in assuming it's just one clown out there

Grant.
--
http://bugsplatter.id.au

Marty wrote:
> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
> and is sending repeated SSH login attempts to my machine using spoofed
> IP addresses (making the consolidated attack appear to be coming from
> all over the world). I'm scrutinizing his packets, but I'm not sure how
> to find the "fingerprints" I need to filter them out.

Welcome to the Internet. Lots of people are trying to get into
everybody else's ssh server.

Spoofing source addresses for TCP is mostly useless for anything other
than a DOS attack. The addresses you see are probably all real.

As for vocabulary, unless he's in your house, he's probably not on your
subnet.

> I thought that the MAC address might be a good place to start looking,
> but all of the packets I see are coming from the MAC address of my cable
> modem. I'm not concerned about him getting in because he's attempting
> root logins and I disabled root logins through ssh, but I want to drop
> his nonsense traffic if I can, and also avoid any other attacks that
> might be coming from him which may have escaped my notice.

The MAC address is always the last hop. That's how routing works.

I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's harder
to guess an asymmetric key than any password you can dream up, no matter
how cool you think it is.

You can keep track of the IP addresses and block them. Or use a utility
to do it for you. I haven't needed to resort to things like fail2ban,
etc., but some people like them. I'll let them suggest their favorites.

> Any ideas how I can dig deeper to find a common thread that I can use to
> filter his traffic?

There is no common thread. It's not one person. It's every kid with a
script, plus every criminal organization, plus maybe every cyberspy in
China. They're evil, they're your neighbors, and you can't move away.
Different people figure out different ways to deal with it. Now you get
to pick yours.

Marty <(E-Mail Removed)> writes:

> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
> and is sending repeated SSH login attempts to my machine using spoofed
> IP addresses (making the consolidated attack appear to be coming from
> all over the world). I'm scrutinizing his packets, but I'm not sure how
> to find the "fingerprints" I need to filter them out.

Why are you guessing he's on your subnet?

> I thought that the MAC address might be a good place to start looking,
> but all of the packets I see are coming from the MAC address of my cable
> modem. I'm not concerned about him getting in because he's attempting
> root logins and I disabled root logins through ssh, but I want to drop
> his nonsense traffic if I can, and also avoid any other attacks that
> might be coming from him which may have escaped my notice.

Since they seem to be coming from your cable modem, why do you think
they're coming from somewhere other than the other side of your cable
modem?

> Any ideas how I can dig deeper to find a common thread that I can use to
> filter his traffic?

--
As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours;
and this we should do freely and generously. (Benjamin Franklin)

Grant wrote:
> On Wed, 30 Sep 2009 17:41:28 -0700, Marty <(E-Mail Removed)> wrote:
>
>> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>> and is sending repeated SSH login attempts to my machine using spoofed
>> IP addresses (making the consolidated attack appear to be coming from
>> all over the world). I'm scrutinizing his packets, but I'm not sure how
>> to find the "fingerprints" I need to filter them out.
>
> Do you need to?

My line of thinking was, if he's attacking this port, I don't want any
of his network traffic, because he's probably making other break-in
attempts through other means as well.

>> I thought that the MAC address might be a good place to start looking,
>> but all of the packets I see are coming from the MAC address of my cable
>> modem.
>
> There's no MAC addr for Internet packets, you may be able to correlate
> TTL, but I don't see the point. I get SSH attempts quite frequently
> from all over, but there's nothing listening on port 22 here.

I use SSH for myself, and I haven't move the port. Maybe it's time to
consider doing so, but I might have to contend with corporate firewalls
then.

>> I'm not concerned about him getting in because he's attempting
>> root logins and I disabled root logins through ssh, but I want to drop
>> his nonsense traffic if I can, and also avoid any other attacks that
>> might be coming from him which may have escaped my notice.
>
> Do you need to allow _any_ SSH logins? If so why not bump them to
> another port? That way you can leave 22 closed.

That sounds like the only viable option.

>> Any ideas how I can dig deeper to find a common thread that I can use to
>> filter his traffic?
>
> I don't see the point in assuming it's just one clown out there

Big assumption on my part, and after reading the responses here I'm
starting to see that it probably doesn't hold water.

The strange thing is that I never saw ANY of these attempts before
today! Sure I've seen ssh login attempts, but for other user names.
This one was consistently root, every time, every minute of the day,
using a non-interactive login. That's what made me think it was a
single person, possibly in close vicinity. Same MO on every attack,
which was unlike all previous attacks I had seen.

--
Reverse the parts of the e-mail address to reply by mail.

David Schwartz wrote:
> On Sep 30, 5:41 pm, Marty <n...@comcast.martyamodeo> wrote:
>
>> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>> and is sending repeated SSH login attempts to my machine using spoofed
>> IP addresses (making the consolidated attack appear to be coming from
>> all over the world). I'm scrutinizing his packets, but I'm not sure how
>> to find the "fingerprints" I need to filter them out.
>
> Since he can't even establish a TCP connection (because he can't get
> the replies), there's probably not much benefit to filtering them out.

Good point, but again I'd like to stop any influence from this
"individual" (or group) if I can. SSH isn't the only vector into my
machine, I'm sure. It just happens to be one that I'm monitoring closely.

>> I thought that the MAC address might be a good place to start looking,
>> but all of the packets I see are coming from the MAC address of my cable
>> modem.
>
> Of course. MAC is an Ethernet thing, and those Ethernet packets
> originate at your cable modem. Your modem is routing, not bridging.

In short, logic and reason dashes that one to bits. Thanks. :-)

>> I'm not concerned about him getting in because he's attempting
>> root logins and I disabled root logins through ssh, but I want to drop
>> his nonsense traffic if I can, and also avoid any other attacks that
>> might be coming from him which may have escaped my notice.
>
> How can he attempt root logins? If he spoofs the source IP address, he
> can't get the reply packet.

Never even stopped to consider that. Thanks. Could still be some kind
of DOS attack, and also indicates that other attacks may be underway
from this individual, but he won't get far with SSH (or anything really)
if he is spoofing. Could just gum up the works a bit. I'd rather he
thinks that I'm not there though, ideally.

>> Any ideas how I can dig deeper to find a common thread that I can use to
>> filter his traffic?
>
> Filter all SSH from unknown IPs. Have a web page that allows you to
> authorize an IP for SSH login.

Might make things a little more painful for me, but does get the job
done. Thanks for the idea.

> I doubt it's one person (or if it is, he's using a botnet or multiple
> machines). Since the TCP connections are establishing (I think you at
> least implied that), then he must be receiving the packets.

Yes, I think you are quite right. There is definitely two-way
communication occurring. The only question is if it's a pooled effort
or an individual one. In any case after 10 failed attempts in 24 hours,
I drop packets from the IP, so he'll burn up every IP he's got before he
gets through .0001% of the search space. Ok, I can rest on that I think.

--
Reverse the parts of the e-mail address to reply by mail.

Allen Kistler wrote:
> Marty wrote:
>> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>> and is sending repeated SSH login attempts to my machine using spoofed
>> IP addresses (making the consolidated attack appear to be coming from
>> all over the world). I'm scrutinizing his packets, but I'm not sure how
>> to find the "fingerprints" I need to filter them out.
>
> Welcome to the Internet. Lots of people are trying to get into
> everybody else's ssh server.

Yup. I'm not so naive that I didn't expect this. I was just concerned
that this seemed to be on a grander scale than I had seen before and I
was wondering if there was a way if I could link all of the attacks
together or if they were operating independently.

> Spoofing source addresses for TCP is mostly useless for anything other
> than a DOS attack. The addresses you see are probably all real.

Agreed.

> As for vocabulary, unless he's in your house, he's probably not on your
> subnet.

I was thinking "subnet" in terms of the address that my cable modem
acquired.

>> I thought that the MAC address might be a good place to start looking,
>> but all of the packets I see are coming from the MAC address of my cable
>> modem. I'm not concerned about him getting in because he's attempting
>> root logins and I disabled root logins through ssh, but I want to drop
>> his nonsense traffic if I can, and also avoid any other attacks that
>> might be coming from him which may have escaped my notice.
>
> The MAC address is always the last hop. That's how routing works.
>
> I suggest using only public key authentication. Disable password
> authentication. Some of the ssh attacks are distributed. It's harder
> to guess an asymmetric key than any password you can dream up, no matter
> how cool you think it is.

Really hard to enter your key through a corporate machine on someone
else's network, right? Or is there an easy way? I won't always have
access to the hardware to insert a USB stick or something.

> You can keep track of the IP addresses and block them. Or use a utility
> to do it for you. I haven't needed to resort to things like fail2ban,
> etc., but some people like them. I'll let them suggest their favorites.

Yup. Already rolled my own that does a number of other things along
with the blocking.

>> Any ideas how I can dig deeper to find a common thread that I can use to
>> filter his traffic?
>
> There is no common thread. It's not one person. It's every kid with a
> script, plus every criminal organization, plus maybe every cyberspy in
> China. They're evil, they're your neighbors, and you can't move away.
> Different people figure out different ways to deal with it. Now you get
> to pick yours.

Any sandbox I can bury my head in?? ;-)

--
Reverse the parts of the e-mail address to reply by mail.

Joe Pfeiffer wrote:
> Marty <(E-Mail Removed)> writes:
>
>> Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>> and is sending repeated SSH login attempts to my machine using spoofed
>> IP addresses (making the consolidated attack appear to be coming from
>> all over the world). I'm scrutinizing his packets, but I'm not sure how
>> to find the "fingerprints" I need to filter them out.
>
> Why are you guessing he's on your subnet?

The lease on my IP address changed recently. Before this happened, I
didn't notice this flavor of attacks. Purely a guess, and probably a
bad one, based on little or no evidence.

>> I thought that the MAC address might be a good place to start looking,
>> but all of the packets I see are coming from the MAC address of my cable
>> modem. I'm not concerned about him getting in because he's attempting
>> root logins and I disabled root logins through ssh, but I want to drop
>> his nonsense traffic if I can, and also avoid any other attacks that
>> might be coming from him which may have escaped my notice.
>
> Since they seem to be coming from your cable modem, why do you think
> they're coming from somewhere other than the other side of your cable
> modem?

Ignorance on my part. Simple as that. :-)

>> Any ideas how I can dig deeper to find a common thread that I can use to
>> filter his traffic?

--
Reverse the parts of the e-mail address to reply by mail.

On Wed, 30 Sep 2009 22:00:53 -0700, Marty <(E-Mail Removed)> wrote:

>Allen Kistler wrote:
....
>> As for vocabulary, unless he's in your house, he's probably not on your
>> subnet.
>
>I was thinking "subnet" in terms of the address that my cable modem
>acquired.

Yes, I think of it as my ISP's block rather than a subnet.
....
>> I suggest using only public key authentication. Disable password
>> authentication. Some of the ssh attacks are distributed. It's harder
>> to guess an asymmetric key than any password you can dream up, no matter
>> how cool you think it is.
>
>Really hard to enter your key through a corporate machine on someone
>else's network, right? Or is there an easy way? I won't always have
>access to the hardware to insert a USB stick or something.
....
>Any sandbox I can bury my head in?? ;-)



Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years,
so it's not a big ask for iptables to do that.

Grant.
--
http://bugsplatter.id.au

Marty <(E-Mail Removed)> writes:

>Some clown (on my subnet, I would guess) thinks he's exceedingly clever
>and is sending repeated SSH login attempts to my machine using spoofed
>IP addresses (making the consolidated attack appear to be coming from
>all over the world). I'm scrutinizing his packets, but I'm not sure how
>to find the "fingerprints" I need to filter them out.

>I thought that the MAC address might be a good place to start looking,
>but all of the packets I see are coming from the MAC address of my cable
>modem. I'm not concerned about him getting in because he's attempting
>root logins and I disabled root logins through ssh, but I want to drop
>his nonsense traffic if I can, and also avoid any other attacks that
>might be coming from him which may have escaped my notice.

>Any ideas how I can dig deeper to find a common thread that I can use to
>filter his traffic?

It is not a "he" it is many many "hes". ssh attacks have become a fact
of life. They AR launched from many machines around the world ( remember
that something like 1% of all windows boxes are broken and owned by
spammers, etc. -- that is a lot of IP addresses. )
You can put ssh on a different port -- almost all attacks are on the
standard port. You could disable ssh entirely.
And you cannot "drop his traffic". His traffic has to be read by your
filtering software to drop it.
You can also put in a script to read the logs and if there is more than
say 5 unsucessful login attempts, put the address into /etc/hosts.allow
with a deny tag. (but remember to keep the lines shorter than about 1000
bytes-- there is a bug in the hosts.allow software which crashes the
system if a line is longer, and Venema refuses to fix it).


>--
>Reverse the parts of the e-mail address to reply by mail.