What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks

No ratings

Presented at passwords 2015 by

Paul Oorschot

David Barrera

Abdelrahman Abdou

We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of about 17M login attempts originating from 112 different countries and over 6K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.