The strange case of spoofed IP addresses attacking SSH servicesThe other day a weird IP appeared in the ssh honeypot log of #MalwareMustDie people.
@Malwared_ #weird IP 220.127.116.11 https://t.co/uEkn7rDc5X <- about="" details="" have="" ip="" more="" p="" this="" you=""> — Itsuugo (@Itsuugo) febrero 5, 2015 ->As you can see in this RIPE report this address was never visible on the Internet.
Today in the nanog mailing list was announced another case of abuse against a SSH server from a spoofed IP.
One of the causes pointed was the use of spoofed addresses to hide the real address used for scan:
Re: Purpose of spoofed packets ???I don't think this technique is effective nowadays, so if this is the case, seems that someone is learning to hack :)
Bacon Zombie Tue, 10 Mar 2015 20:17:50 -0700
Nmap has an option to "hide" your real IP among either a provides or IP
list of IP addresses.
" D < decoy1 > [, < decoy2 > ][,ME][,...] (Cloak a scan with decoys)
Causes a decoy scan to be performed, which makes it appear to the remote
host that the host(s) you specify as decoys are scanning the target network
too. Thus, their IDS might report 5–10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were innocent
decoys. While this can be defeated through router path tracing,
response-dropping, and other active mechanisms, it is generally an
effective technique for hiding your IP address."
On 11 Mar 2015 02:17, "Steve Atkins" < st...@blighty.com > wrote:
Another interesting comment is:
RE: Purpose of spoofed packets ???If you are blacklisting the attackers IPs, this can be dangerous depending on your infrastructure and you must control the blacklist.
Darden, Patrick Wed, 11 Mar 2015 08:28:56 -0700
One more outré purpose for spoofing SIPs is to have you blacklist/nullroute
someone, effectively enlisting you to cause a DOS.
This can be a nightmare in a typical company where are multiple departments: Developers, Systems, Network and Security.
I will show an example:
When the firewall starts to block the spoofed IP, the application will stop to work and users will start to complain and ... I bet all depts will be involved to solve this issue.