This article is more than 1 year old
Brute force SSH attack confounds defenders
Who are those guys?
Security researchers are struggling to combat a sophisticated brute-force attack against SSH servers.
Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.
The approach, which is more likely to defeat basic rate-based security defences, first emerged after security researchers noticed a spike in failed SSH logins back in October, and remains ongoing. Countermeasures such as the use of IP blocklists of known compromised hosts have been applied to mitigate the attack, but these are only partially successful, Arbor Networks warned on Friday.
A recent comparison between a blacklist created by Arbor's SSH scanner and another blacklist revealed a 12 per cent overlap, suggesting many compromised hosts remain unlogged.
Much about the attack remains unclear. For example, security firms are yet to isolate samples of the botnet code behind the attack. ®