SANS ISC: SSH scans from 188.95.234.6

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Thanks for sharing this Mark. Though this team being legitimate- The only concern is that an malicious actor(attacker) might also pose as an research team start such scans- Though the targets have an option to blacklist the source. There should be a "do not scan for research" list where the target have a choice to add themselves to the list so that there are eliminated from such research activities - This is just a thought which in felt - Should be shared.

These guys tried me back in November, I blocked them. Screw 'em.

Speaking of posing as a research team, I still get "GET /w00tw00t.isc.sans.dfind :)" probes from people.

Looking at their site this sentence, regarding thier app, made me cringe. "Note however, that the live notary is not beyond PoC status at the moment - meaning the code works, but very little attention has been paid to security."

Yeah. I see that they've scanned us 'cos they're now blocked - upon any kind of scan being detected an automatic block occurs. I dunno - this seems like an example of idiot -> idiot mapping.

I don't care who the scanner is. Scans are not socially acceptable Internet behavior.

What I fail to understand is the lack of a good Access Control List on the Edge Router and past that, the firewall. If the policy of allow permitted hosts/networks is followed, and deny everything else, the only thing a SSH scan will show in router logs is DENIED, with no information being given to scanners (automated or otherwise).

Auto-Blocking stuff is nice, but IMO, it's much easier not to allow them access from the beginning.

I believe the point to "blocking" is not to keep them from attacking closed ports, like SSH, but to keep them from trying to exploit other things.

In my network, for example, I block someone that I see doing a portscan, or other scanning activity because I think they may then escalate things into other attacks, such as web application exploits. Or at the very least, it may keep them from finding an actual vulnerability in some other service that I allow.

Once the IP of the scanner is added to my blacklist they will not be able to even get to legitimate services that I offer to the general public, like my email and web apps.

In my Kippo logs from September 2012:

[me@1 log]$ grep 188\.95\.234\.6 *
kippo.log.315:2012-09-09 17:46:55+0000 [kippo.core.honeypot.HoneyPotSSHFactory]
New connection: 188.95.234.6:44440 (sanitized:22) [session: 7]
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] Remote SSH version: SSH-2.0-OpenSSH_6.1 This is a routine measurement by the TU Munich
. See: http://bozen.net.in.tum.de
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] outgoing: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] incoming: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] NEW KEYS
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] starting service ssh-userauth
kippo.log.315:2012-09-09 17:46:56+0000 [SSHService ssh-userauth on HoneyPotTransport,7,188.95.234.6] root trying auth none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] connection lost

Hi everyone. Please note that we offer that you can get your IP ranges blacklisted, and we're happy to oblige to such requests.

Please also note that we use a non-existing authentication method, and do thus never send a password. There is no way we could get access to your systems. The only reason we send that authentication method is that we need to complete the handshake to find out which cipher has been chosen.

Concerning whether such scans are legit, I would like copy from a mail I have written to a SANS member:

We are a network measurement group. We do believe that active scans must be an integral part in understanding and improving the infrastructure of the Internet. In the end, everyone benefits from that (BTW, there is even an RFC on scanning for measurement purposes). As an example of how improvement is possible, I would like to point out our paper (but also the work of the EFF and others) that documents how poorly SSL/X.509 is deployed:

http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf

We hope to document SSH in a similar way. And frankly, from what we can see in our scans, there are a few oddities that need documentation.

We believe that we can contribute to overall security with our scans. If you feel inconvenienced by them, please accept our apologies.

@nekton: We have since changed our scanner - in fact, it was different for every scan.

@hcbhatt: I like your idea of a public blacklist "do not scan for research". I'll try and distribute it in the measurement community. Thanks!

@DHC: I feel you should not cringe, but rather be delighted at the transparency. First of all, that comment you quote refers to the *live querying of an SSH server*. We do not do this at the moment, as it would allow an attack to get a free "idle" sort of scan via us. But we do think of switching that to live once we have implemented a few precautions.

The current OpenSSH functionality is to query a server that stores data from our scan. We have a patch for OpenSSH to query our notary. However, we feel it is not ready yet for inclusion to the main branch and we will not submit it to that branch before we feel it is ready.

All that said, the easiest way to query our noraty is actually via DNS, like this:
export myip="..."
dig -t TXT $myip.cbssh.net.in.tum.de

The DNS server runs PowerDNS and is rate-limited.

"I'll leave whether you wish to block it or take advantage of their blacklist, up to you. "

This sure seems like an unethical approach to me.

"Require the person at the receiving end to take the TIME and EXPENSE to opt-out, or respond to ALREADY being annoyed by a scan, to then opt-out."


The options are framed incorrectly. You should not be attempting such an intrusion on someone else's network, without the proper permissions.


My opt-out mechanism is called a null route for the IP prefix of the source IP address space at my edge routers, a call to the source's upstream ISP to complain about this, and possibly legal remedies....

As far as UK legislation is concerned this is in fact illegal activity. See the Computer Misuse Act 1990. http://www.legislation.gov.uk/ukpga/1990/18

They better not hit my external ssh servers !

DDJ

I find the level of aggression irritating. After all, this is just a scan, and it is meant to help.

That said, any legislation that I am acquainted with, and this includes the UK, always says that there must be an *intent* to gain access. Which there is not, and the fact that we use a bogus authentication method proves this.

Such a public blacklist would signal to everyone where they should scan, don't you think?

Sort of like the usa's "do not call" list, you know it's full of real, working phone numbers.