- 22日08時頃から23日16時
- 295の機械からの1592回の分散総当り攻撃,1時間当り30IPが同数程度攻撃する.
- バナーは全てSSH-2.0-libssh-0.2
- クライアントバナーSSH-2.0-libssh-0.1を検出するsnortルール
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"Possible SSH brute force attempt"; \
flow:to_server,established; \
threshold:type threshold, track by_src, count 5, seconds 60; \
content:"SSH-2.0-libssh-0.1"; offset: 0; depth: 18;)
- OSは不明なもの以外Linux2.4もしくは2.6
- リンク
- 攻撃回数の分布,3回単位なのか3の倍数が多い.
攻撃回数 |
IP数 |
21 |
1 |
20 |
0 |
19 |
0 |
18 |
1 |
17 |
0 |
16 |
0 |
15 |
5 |
14 |
0 |
13 |
1 |
12 |
14 |
11 |
1 |
10 |
0 |
9 |
40 |
8 |
1 |
7 |
0 |
6 |
76 |
5 |
3 |
4 |
0 |
3 |
143 |
2 |
9 |
1 |
0 |
国名 |
IP数 |
GERMANY |
40 |
UNITED-STATES |
24 |
BRAZIL |
18 |
ITALY |
18 |
FRANCE |
18 |
POLAND |
17 |
EUROPA |
16 |
AUSTRIA |
12 |
UNITED-KINGDOM |
10 |
SPAIN |
9 |
COLOMBIA |
8 |
NETHERLANDS |
9 |
CHINA |
6 |
ARGENTINA |
6 |
CZECH-REPUBLIC |
6 |
SWEDEN |
6 |
SWITZERLAND |
6 |
ROMANIA |
6 |
RUSSIAN-FEDERATION |
6 |
MEXICO |
5 |
BELGIUM |
4 |
UKRAINE |
4 |
CANADA |
3 |
FINLAND |
3 |
SLOVAKIA |
2 |
DENMARK |
2 |
PERU |
2 |
INDONESIA |
2 |
AUSTRALIA |
2 |
CHILE |
2 |
JAPAN |
2 |
ESTONIA |
2 |
HUNGARY |
2 |
VENEZUELA |
1 |
LITHUANIA |
1 |
SERBIA-AND-MONTENEGRO |
1 |
ISRAEL |
1 |
SRI-LANKA |
1 |
BULGARIA |
1 |
COSTA-RICA |
1 |
BURKINA-FASO |
1 |
COTE-DIVOIRE |
1 |
INDIA |
1 |
PANAMA |
1 |
KOREA-REPUBLIC-OF |
1 |
TURKEY |
1 |
SOUTH-AFRICA |
1 |
PHILIPPINES |
1 |
PORTUGAL |
1 |
THAILAND |
1 |