More Web Proxy on the site http://driver.im/

research-article

Detecting stealthy, distributed SSH brute-forcing

Authors:

Vern PaxsonAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 85 - 96

https://doi.org/10.1145/2508859.2516719

Published: 04 November 2013 Publication History

Abstract

In this work we propose a general approach for detecting distributed malicious activity in which individual attack sources each operate in a stealthy, low-profile manner. We base our approach on observing statistically significant changes in a parameter that summarizes aggregate activity, bracketing a distributed attack in time, and then determining which sources present during that interval appear to have coordinated their activity. We apply this approach to the problem of detecting stealthy distributed SSH bruteforcing activity, showing that we can model the process of legitimate users failing to authenticate using a beta-binomial distribution, which enables us to tune a detector that trades off an expected level of false positives versus time-to-detection. Using the detector we study the prevalence of distributed bruteforcing, finding dozens of instances in an extensive 8-year dataset collected from a site with several thousand SSH users. Many of the attacks---some of which last months---would be quite difficult to detect individually. While a number of the attacks reflect indiscriminant global probing, we also find attacks that targeted only the local site, as well as occasional attacks that succeeded.

References

[1]

BlockHosts. http://www.aczoom.com/blockhosts/.

[2]

DenyHosts. http://denyhosts.sourceforge.net/.

[3]

sshguard. http://www.sshguard.net/.

[4]

The Hail Mary Cloud Data - Data collected by Peter N. M. Hansteen ([email protected]). http://www.bsdly.net/~peter/hailmary/.

[5]

ICS-ALERT-12-034-01 SSH Scanning Activity Targets Control Systems. http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-034-01.pdf, Feburary, 2012.

[6]

R. Bezut and V. Bernet-Rollande. Study of Dictionary Attacks on SSH. Technical report, University of Technology of Compiegne, http://files.xdec.net/TX_EN_ Bezut_Bernet-Rollande_BruteForce_SSH.pdf, 2010.

[7]

D. Brook and D. A. Evans. An approach to the probability distribution of CUSUM run length. In Biometrika, volume 59, pages 539--549, 1972.

[8]

C. Gates. Coordinated scan detection. In 16th Annual Network and Distributed System Security Symposium, 2009.

[9]

D. Gerzo. BruteForceBlocker. http://danger.rulez.sk/projects/bruteforceblocker.

[10]

D. M. Hawkins and D. H. Olwell. Cumulative sum charts and charting for quality improvement. Springer, 1998.

[11]

L. Hellemons. Flow-based Detection of SSH Intrusion Attempts. In 16th Twente Student Conference on IT. University of Twente, January 2012.

[12]

C. Jacquier. Fail2Ban. http://www.fail2ban.org.

[13]

M. Kumagai, Y. Musashi, D. Arturo, L. Romana, K. Takemori, S. Kubota, and K. Sugitani. SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network. In 3rd International Conference on Intelligent Networks and Intelligent Systems, pages 645--648, 2010.

Digital Library

[14]

E. L. Malecot, Y. Hori, K. Sakurai, J. Ryou, and H. Lee. (Visually) Tracking Distributed SSH BruteForce Attacks' In 3rd International Joint Workshop on Information Security and Its Applications, pages 1--8, Feburary, 2008.

[15]

J. Owens and J. Matthews. A Study of Passwords and Methods Used in Brute-Force SSH Attacks. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.

[16]

A. V. Siris and F. Papagalou. Application of anomaly detection algorithms for detecting SYN flooding attacks. In IEEE GLOBECOM, pages 2050--2054. IEEE, 2004.

[17]

S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. In 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000.

[18]

J. Vykopal, T. Plesnik, and P. Minarik. Network-based Dictionary Attack Detection. In International Conference on Future Networks, 2009.

Digital Library

[19]

H. Wang, D. Zhang, and S. K. Detecting SYN flooding attacks. In 21st Joint Conference IEEE Computer and Communication Societies (IEEE INFOCOM), pages 1530--1539, 2002.

[20]

C. M. Zhang and V. Paxson. Detecting and Analyzing Automated Activity on Twitter. In Passive and Active Measurement. Springer, 2011.

Digital Library

Cited By

Bello Suleiman MRobinson RUbale Kiru M(2024)Long-Short Term Memory Network Based Model for Reverse Brute Force Attack DetectionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24JUL160(450-461)Online publication date: 22-Jul-2024
https://doi.org/10.38124/ijisrt/IJISRT24JUL160
Raj AChauhan MChhoker VRani MSingh BD’Souza RBodwal J(2024)Brute forcing on secured shell servers emphasising the role of cyber forensics – a quali-quantitative studyMedico-Legal Journal10.1177/0025817224123626992:3(152-157)Online publication date: 13-Jun-2024
https://doi.org/10.1177/00258172241236269
Shou CBhatia RGupta AHarrison RLokshtanov DWillinger W(2024)Query Planning for Robust and Scalable Hybrid Network Telemetry SystemsProceedings of the ACM on Networking10.1145/36494712:CoNEXT1(1-27)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649471
Show More Cited By

Index Terms

Detecting stealthy, distributed SSH brute-forcing
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

A Surfeit of SSH Cipher Suites
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

This work presents a systematic analysis of symmetric encryption modes for SSH that are in use on the Internet, providing deployment statistics, new attacks, and security proofs for widely used modes. We report deployment statistics based on two ...
Plaintext Recovery Attacks against SSH
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy

This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-...
SSH – Somewhat Secure Host
Cyberspace Safety and Security
Abstract
Honeypots are a proven technology for network defence and forensics. This paper focuses on attacks directed to network devices that utilise SSH services. The research uses the SSH honeypot Kippo to gather data about attacks on the SSH service. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
978
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)4

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bello Suleiman MRobinson RUbale Kiru M(2024)Long-Short Term Memory Network Based Model for Reverse Brute Force Attack DetectionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24JUL160(450-461)Online publication date: 22-Jul-2024
https://doi.org/10.38124/ijisrt/IJISRT24JUL160
Raj AChauhan MChhoker VRani MSingh BD’Souza RBodwal J(2024)Brute forcing on secured shell servers emphasising the role of cyber forensics – a quali-quantitative studyMedico-Legal Journal10.1177/0025817224123626992:3(152-157)Online publication date: 13-Jun-2024
https://doi.org/10.1177/00258172241236269
Shou CBhatia RGupta AHarrison RLokshtanov DWillinger W(2024)Query Planning for Robust and Scalable Hybrid Network Telemetry SystemsProceedings of the ACM on Networking10.1145/36494712:CoNEXT1(1-27)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649471
Sun HHuang QLee PBai WZhu FBao Y(2024)Distributed Network Telemetry With Resource Efficiency and Full AccuracyIEEE/ACM Transactions on Networking10.1109/TNET.2023.332734532:3(1857-1872)Online publication date: Jun-2024
https://doi.org/10.1109/TNET.2023.3327345
Graf JChuprikov PEugster PJahnke P(2024)FARM: Comprehensive Data Center Network Monitoring and Management2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00055(520-530)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00055
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Sun ZSun YDu YLiu JHuang H(2024)Persistent Sketch: A Memory-Efficient and Robust Algorithm for Finding Top-k Persistent FlowsAlgorithms and Architectures for Parallel Processing10.1007/978-981-97-0811-6_2(19-38)Online publication date: 27-Feb-2024
https://doi.org/10.1007/978-981-97-0811-6_2
Sun HLi JHe JGui JHuang QSchulzrinne HKohler EMaltz DMisra V(2023)OmniWindow: A General and Efficient Window Mechanism Framework for Network TelemetryProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604847(867-880)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604847
Liu YZhou LLiu QLan TBai XZhou T(2023)Semi-supervised Few-shot Network Intrusion Detection based on Meta-learning2023 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics)10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00097(495-502)Online publication date: 17-Dec-2023
https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics60724.2023.00097
Tiwari NHubballi N(2023)Secure Socket Shell Bruteforce Attack Detection With Petri Net ModelingIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321259120:1(697-710)Online publication date: Mar-2023
https://doi.org/10.1109/TNSM.2022.3212591
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents