The Hail Mary Cloud: A Widely Distributed, Low Intensity Password Guessing SSH Botnet

The Hail Mary Cloud was a widely distributed, low intensity password guessing botnet that targeted Secure Shell (ssh) servers on the public Internet.

The first activity may have been as early as 2005 [Mobin and Paxson (2013)], our first recorded data start in late 2008. Links to full data and extracts are found in this presentation.

We present the basic behavior and algorithms, and point to possible policies for staying safe(r) from similar present or future attacks, as well as some attacks on other services.

But first, the devil we knew -