A Study of Passwords and Methods Used in Brute-Force SSH Attacks Jim Owens and Jeanna Matthews Department of Computer Science Clarkson University 8 Clarkson Avenue, MS 5815 Potsdam, NY 13699 {owensjp, jnm}@clarkson.edu ABSTRACT In its Top-20 Security Risks report for 2007, the SANS Institute called brute-force password guessing attacks against SSH, FTP and telnet servers “the most common form of attack to compromise servers facing the Internet.” A recent study also suggests that Linux systems may play an important role in the command and control networks for botnets. Defending against brute-force SSH attacks may therefore prove to be a key factor in the effort to disrupt these networks. In this paper, we report on a study of brute-force SSH attacks observed on three very different networks: an Internet-connected small business network, a residential system with a DSL Internet connection, and a university campus network. The similarities observed in the methods used to attack these disparate systems are quite striking. The evidence suggests that many brute-force attacks are based on pre-compiled lists of usernames and passwords, which are widely shared. Analysis of the passwords used in actual malicious traffic suggests that the common understanding of what constitutes a strong password may not be sufficient to protect systems from compromise. Study data are also used to evaluate the effectiveness of a variety of techniques designed to defend against these attacks. 1. INTRODUCTION Major security threats to networked computer systems appear to be reaching crisis proportions in recent years. For example, Barracuda Networks, a major supplier of email and Web security appliances, estimates that spam email accounted for between 90 and 95 percent of all email sent during 2007 [2]. In addition, new phishing attacks increased by 18% during the first half of 2007 [27], and by the final quarter of last year phishing incidents accounted for nearly 60% of all security incidents reported [29]. Commercial malware kits such as MPack [24], including maintenance and support agreements for client hackers, are now being offered for sale on the Internet for as little as $500. These trends have continued to grow since Bruce Schneier told the audience at the Hack in the Box Security Conference in Kuala Lumpur, Malaysia that in his estimation the security war was being lost [19]. Perhaps the single biggest security threat for networked systems going forward is represented by botnets, defined as collections of compromised computer systems used for a variety of criminal activities, including distributed denial-of-service attacks, spamming, traffic sniffing, keylogging, identity theft, and click fraud [7]. The most highly publicized botnet of 2007 was the Storm worm botnet, which is estimated to control as many as 50 million computers [5]. For most of the recorded history of botnets, dating back to 1999, the robot computers, or zombies, that populate them have been understood to consist primarily of compromised systems running a version of the Microsoft Windows operating system [7,22]. Propagation of zombie code has been observed to occur through a number of Windows-specific worms, viruses, Trojans, and other forms of malware [3]. More recently, vulnerabilities in Linux machines are being recognized as an important part of the problem. In October 2007 Dave Cullinane, chief information and security officer at eBay, announced at the Trust Online conference that an internal investigation of the security threats faced by the online auction service had been traced to “rootkitted Linux boxes.” [20] Alfred Huger, vice president for Symantec Security Response, echoed Cullinane's comments, saying that compromised Linux machines were frequently observed to make up a large portion of the command and control networks for botnets. While it is true that computers running Linux are not subject to the many worms, viruses, and other malware that target Windows platforms, the Linux platform is known to be vulnerable to other forms of exploitation. A 2004 study conducted by the London- based security analysis and consulting firm mi2g found that Linux systems accounted for 65% of “digital breaches” recorded during the twelve-month period ending in October 2004 [6]. Recent studies of vulnerability trends point to two primary attack vectors: brute-force attacks against remote services such as SSH, FTP, and telnet, and Web application vulnerabilities [4,25]. In its Top-20 2007 Security Risks report, the SANS Institute called brute-force password guessing attacks against SSH, FTP and telnet servers “the most common form of attack to compromise servers facing the Internet.” The report notes that unpatched flaws such as buffer overflow vulnerabilities in the authentication functions of these services can allow arbitrary code execution; however, the report also points up a much more mundane threat. Weak passwords are specifically identified as a potential Achilles heel in these systems, since “brute forcing passwords can be a used as a technique to compromise even a fully patched system.” In this paper, we focus specifically on brute-force SSH attacks. In particular, we analyze data collected from a large number of SSH brute-force attacks against Linux systems connected to different kinds of networks. We discuss patterns in the passwords used in these attacks, as well as the methods employed. We also use the data we collected to evaluate the effectiveness of various countermeasures that have been suggested for protecting systems against SSH brute-force attacks. The remainder of this paper is organized as follows. Section 2 provides an overview of the project, including the experimental setup, an overview of attack activity, and a high-level summary of