Wednesday, March 11, 2015

The strange case of spoofed IP addresses attacking SSH services

The strange case of spoofed IP addresses attacking SSH services

The other day a weird IP appeared in the ssh honeypot log of #MalwareMustDie people.
As you can see in this RIPE report this address was never visible on the Internet.

Today in the nanog mailing list was announced another case of abuse against a SSH server from a spoofed IP.
http://www.mail-archive.com/nanog@nanog.org/msg74858.html
One of the causes pointed was the use of spoofed addresses to hide the real address used for scan:
Re: Purpose of spoofed packets ???
Bacon Zombie Tue, 10 Mar 2015 20:17:50 -0700
Nmap has an option to "hide" your real IP among either a provides or IP
list of IP addresses.
" D < decoy1 > [, < decoy2 > ][,ME][,...] (Cloak a scan with decoys)
Causes a decoy scan to be performed, which makes it appear to the remote
host that the host(s) you specify as decoys are scanning the target network
too. Thus, their IDS might report 5–10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were innocent
decoys. While this can be defeated through router path tracing,
response-dropping, and other active mechanisms, it is generally an
effective technique for hiding your IP address."
http://nmap.org/book/man-bypass-firewalls-ids.html
On 11 Mar 2015 02:17, "Steve Atkins" < st...@blighty.com > wrote:
I don't think this technique is effective nowadays, so if this is the case, seems that someone is learning to hack :)
Another interesting comment is:
RE: Purpose of spoofed packets ???
Darden, Patrick Wed, 11 Mar 2015 08:28:56 -0700
One more outré purpose for spoofing SIPs is to have you blacklist/nullroute
someone, effectively enlisting you to cause a DOS.
--p
If you are blacklisting the attackers IPs, this can be dangerous depending on your infrastructure and you must control the blacklist.
This can be a nightmare in a typical company where are multiple departments: Developers, Systems, Network and Security.
I will show an example:
Imagine this scenario, where there is an application that uses an external service to work (per example, a two-factor authentication)
When the firewall starts to block the spoofed IP, the application will stop to work and users will start to complain and ... I bet all depts will be involved to solve this issue.