We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany. As far as we are aware it is legitimate research and the scans have been conducted previously. So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blocklist up to you. Cheers Mark.
Dear colleagues, |
Mark 391 Posts ISC Handler Apr 2nd 2013 |
Thread locked Subscribe |
Apr 2nd 2013 7 years ago |
Thanks for sharing this Mark. Though this team being legitimate- The only concern is that an malicious actor(attacker) might also pose as an research team start such scans- Though the targets have an option to blacklist the source. There should be a "do not scan for research" list where the target have a choice to add themselves to the list so that there are eliminated from such research activities - This is just a thought which in felt - Should be shared.
|
hcbhatt 14 Posts |
Quote |
Apr 2nd 2013 7 years ago |
These guys tried me back in November, I blocked them. Screw 'em.
Speaking of posing as a research team, I still get "GET /w00tw00t.isc.sans.dfind :)" probes from people. |
Anonymous |
Quote |
Apr 2nd 2013 7 years ago |
Looking at their site this sentence, regarding thier app, made me cringe. "Note however, that the live notary is not beyond PoC status at the moment - meaning the code works, but very little attention has been paid to security."
|
Anonymous |
Quote |
Apr 2nd 2013 7 years ago |
Yeah. I see that they've scanned us 'cos they're now blocked - upon any kind of scan being detected an automatic block occurs. I dunno - this seems like an example of idiot -> idiot mapping.
I don't care who the scanner is. Scans are not socially acceptable Internet behavior. |
Shane 7 Posts |
Quote |
Apr 2nd 2013 7 years ago |
What I fail to understand is the lack of a good Access Control List on the Edge Router and past that, the firewall. If the policy of allow permitted hosts/networks is followed, and deny everything else, the only thing a SSH scan will show in router logs is DENIED, with no information being given to scanners (automated or otherwise).
Auto-Blocking stuff is nice, but IMO, it's much easier not to allow them access from the beginning. |
dogbert2 21 Posts |
Quote |
Apr 2nd 2013 7 years ago |
I believe the point to "blocking" is not to keep them from attacking closed ports, like SSH, but to keep them from trying to exploit other things.
In my network, for example, I block someone that I see doing a portscan, or other scanning activity because I think they may then escalate things into other attacks, such as web application exploits. Or at the very least, it may keep them from finding an actual vulnerability in some other service that I allow. Once the IP of the scanner is added to my blacklist they will not be able to even get to legitimate services that I offer to the general public, like my email and web apps. |
Anthus 2 Posts |
Quote |
Apr 3rd 2013 7 years ago |
In my Kippo logs from September 2012:
[me@1 log]$ grep 188\.95\.234\.6 * kippo.log.315:2012-09-09 17:46:55+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 188.95.234.6:44440 (sanitized:22) [session: 7] kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] Remote SSH version: SSH-2.0-OpenSSH_6.1 This is a routine measurement by the TU Munich . See: http://bozen.net.in.tum.de kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] outgoing: aes128-ctr hmac-md5 none kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] incoming: aes128-ctr hmac-md5 none kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] NEW KEYS kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] starting service ssh-userauth kippo.log.315:2012-09-09 17:46:56+0000 [SSHService ssh-userauth on HoneyPotTransport,7,188.95.234.6] root trying auth none kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] connection lost |
Anonymous |
Quote |
Apr 5th 2013 7 years ago |
Hi everyone. Please note that we offer that you can get your IP ranges blacklisted, and we're happy to oblige to such requests.
Please also note that we use a non-existing authentication method, and do thus never send a password. There is no way we could get access to your systems. The only reason we send that authentication method is that we need to complete the handshake to find out which cipher has been chosen. Concerning whether such scans are legit, I would like copy from a mail I have written to a SANS member: We are a network measurement group. We do believe that active scans must be an integral part in understanding and improving the infrastructure of the Internet. In the end, everyone benefits from that (BTW, there is even an RFC on scanning for measurement purposes). As an example of how improvement is possible, I would like to point out our paper (but also the work of the EFF and others) that documents how poorly SSL/X.509 is deployed: http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf We hope to document SSH in a similar way. And frankly, from what we can see in our scans, there are a few oddities that need documentation. We believe that we can contribute to overall security with our scans. If you feel inconvenienced by them, please accept our apologies. |
Anonymous |
Quote |
Apr 5th 2013 7 years ago |
@nekton: We have since changed our scanner - in fact, it was different for every scan.
|
Anonymous |
Quote |
Apr 5th 2013 7 years ago |
@hcbhatt: I like your idea of a public blacklist "do not scan for research". I'll try and distribute it in the measurement community. Thanks!
|
Anonymous |
Quote |
Apr 5th 2013 7 years ago |
@DHC: I feel you should not cringe, but rather be delighted at the transparency. First of all, that comment you quote refers to the *live querying of an SSH server*. We do not do this at the moment, as it would allow an attack to get a free "idle" sort of scan via us. But we do think of switching that to live once we have implemented a few precautions.
The current OpenSSH functionality is to query a server that stores data from our scan. We have a patch for OpenSSH to query our notary. However, we feel it is not ready yet for inclusion to the main branch and we will not submit it to that branch before we feel it is ready. All that said, the easiest way to query our noraty is actually via DNS, like this: export myip="..." dig -t TXT $myip.cbssh.net.in.tum.de The DNS server runs PowerDNS and is rate-limited. |
Anonymous |
Quote |
Apr 5th 2013 7 years ago |
"I'll leave whether you wish to block it or take advantage of their blacklist, up to you. "
This sure seems like an unethical approach to me. "Require the person at the receiving end to take the TIME and EXPENSE to opt-out, or respond to ALREADY being annoyed by a scan, to then opt-out." The options are framed incorrectly. You should not be attempting such an intrusion on someone else's network, without the proper permissions. My opt-out mechanism is called a null route for the IP prefix of the source IP address space at my edge routers, a call to the source's upstream ISP to complain about this, and possibly legal remedies.... |
Mysid 146 Posts |
Quote |
Apr 5th 2013 7 years ago |
As far as UK legislation is concerned this is in fact illegal activity. See the Computer Misuse Act 1990. http://www.legislation.gov.uk/ukpga/1990/18
They better not hit my external ssh servers ! DDJ |
Mysid 13 Posts |
Quote |
Apr 7th 2013 7 years ago |
I find the level of aggression irritating. After all, this is just a scan, and it is meant to help.
That said, any legislation that I am acquainted with, and this includes the UK, always says that there must be an *intent* to gain access. Which there is not, and the fact that we use a bogus authentication method proves this. |
Mysid 5 Posts |
Quote |
Apr 8th 2013 7 years ago |
Such a public blacklist would signal to everyone where they should scan, don't you think?
Sort of like the usa's "do not call" list, you know it's full of real, working phone numbers. |
anonymous 1 Posts |
Quote |
Feb 23rd 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!