Hacker News new | ask | show | jobs
by mdtancsa 667 days ago
I suspect the distributed cracking will move to the same pattern as the SMTP/pop3 brute force guys did and use one IP per x+1 seconds where x=the ssh penalty window. We have seen this on our customer facing smtp server where we have hundreds of remote compromised IPs trying each one password per 30-60min. Still, I welcome this change as there are enough single prick attackers out there where this will help cut down on the size of the logs to process / digest.
2 comments
catkitcourt 667 days ago
Actually this already is the SOTA of cracking. My honeypot can see several different IP is brute forcing concurrently, and they seems irrelevant. But once you let one of them login, it will quit immediately and all those IPs will quiet after ~15sec. Then one of those IPs will login again to deploy miner.
link
superjan 667 days ago
Next level: let them login and forward the ssh connection to the digital equivalent of a room full of mirrors.
link
spogbiper 667 days ago
reminds me of using the old MIRROR target in iptables back in the day. before it was removed because its ridiculous. we used to watch script kiddies trying to brute force their own hosts but even then we knew it was ripe for abuse.

https://www.linuxtopia.org/Linux_Firewall_iptables/x4448.htm...

link
Terr_ 666 days ago
Probably for the best, since it sounds like that could be used for DDoS amplification and/or reflection.

For example, if an attack could spoof traffic to get two different reflectors hall-of-mirror-ing each other, or using a botnet that spoofs traffic to get one collection of dupes to slam a single victim in response, etc.

link
metadat 666 days ago
How would you spoof multiple valid packets in a TCP-based protocol requiring a sequence of interactions when you can't receive any of the ACKs (because they'll be sent to not-your-IP)?
link
katzinsky 666 days ago
Depending on the protocol you can probably do reflection attacks over tcp with TFO.
link
snvzz 666 days ago
It was beautiful to see people nuke themselves in winnuke era.
link
iforgotpassword 666 days ago
This is already the practice in my experience. Fail2ban has become completely useless for ssh about 5~6 years ago. Always just one to three tries per IP address.

So looks like this openssh feature is a decade late.

link
lathiat 666 days ago
That doesn’t make it useless. It still severely limits the rate of brute force versus having no limit.
link