The Hail Mary Cloud And The Lessons Learned

BSDCan, Ottawa 17 May 2013

Peter N. M. Hansteen

BSDly.net

peter@bsdly.net

peter.hansteen@evry.com

Twitter: @pitrh


Table of Contents
The Hail Mary Cloud: A Widely Distributed, Low Intensity Password Guessing Botnet
The Traditional SSH Bruteforce Attack
The Likely Business Plan
Traditional Anti-Bruteforce Rules
Traditional Anti-Bruteforce Rules, Linux Style
What's That? Something New!
The Initial Reaction
Business Plan, Distributed Version
You're The Target
Initial Public Reaction
On December 30th, 2008, The Attempts Stopped
Common characteristics
First Round Observations, Early Conclusions
But Of Course They Came Back
Introducing dt_ssh5, Linux /tmp Resident
dt_ssh5: Basic Algorithm
The Waves We Saw, 2008 - 2012
For A While, The Botnet Grew
It Went Away Or Dwindled
And Resurfaced In China?
Then What To Do?
sshd_config: PermitRootLogin no ++
Keep Them Out, Keep Them Guessing
Keys. You've Got To have Keys!
Why Not Use Port Knocking?
Why Not Use Port Knocking? (continued)
There's No Safety In High Ports Anymore
Final thoughts, for now
Final thoughts, part II
Questions?
References
If you enjoyed this: Support OpenBSD!