Common characteristics

The attempts were all password authentication attempts (no other authentication methods attempted)

For the most part an alphabetic sequence of 'likely' user names, but at least one long run of root only attempts (as we got confirmed later + other sources)

Anything from seconds to minutes between attempts, but attempts from any single host at much longer intervals.