SSH scans from 188.95.234.6

Published: 2013-04-02. Last Updated: 2013-04-02 13:16:28 UTC
by Mark Hofman (Version: 2)
15 comment(s)

We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany.  As far as we are aware it is legitimate research and the scans have been conducted previously.   So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blocklist, up to you.  

I've asked a few clarifing questions, but have not yet received an answer.  I was curious about the "not Loggin in", but sending a username (and presumably a password) as I've identified the IP address on a number of fail2ban logs, so multiple password attempts. 

As one of the handlers mentioned, migh be ok in your area, but in many places it might still be seen as an intrusion.  I guess to me it is similar to anyone else doing the same for whatever reason, but that does mean you get treated the same, i.e. blocked after x attempts. In this case for me, a firm "thanks for the note I'll block it now".  Our DB will no doubt show it as an attacking IP as log files start coming in.  There is a note on the IP address from previous scans, so those that use the data can make their own choice. 

If you have SSH open you may want to look at something like fail2ban or other similiar tools and it will take care of scans from here the same as scans from anywhere else. In the mean time if you see the IP address your incident response time to investigate may be shorter for reading the below message.

Cheers

Mark.  

Dear colleagues,

Our team at the Network Architectures and Services Dept. (I8) of TU
München, Germany, has started an IPv4-wide SSH scan. This is the same
kind of scan that we have conducted several times over the past few
months. Once again, the purpose is purely scientific.

The scanning machine is 188.95.234.6.

It is not infected, nor is an attack intended (we do *not attempt to
login*, in fact we send the most harmless username ever). However, this
is a large-scale scan, which we expect to last up to 10 days. The
long-term goal are continuous scans.

We are perfectly aware that many IDS systems will count this as
an attack. We are thus writing in order to inform you of our activity.
If there is anything you can do - adding us to a whitelist, adding a
comment in your DB etc. - we would very much appreciate your help.

Please note that we respond to every complaint and are happy to
blocklist systems with annoyed admins.

Background information can be found here:

29C3 Lightning Talk, from minute 9:
http://www.youtube.com/watch?
v=eao8yBKHYT8

Crossbear-Paper:
http://www.net.in.tum.de/
fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf

Project homepage: https://pki.net.in.tum.de

Keywords:
15 comment(s)

Comments

Thanks for sharing this Mark. Though this team being legitimate- The only concern is that an malicious actor(attacker) might also pose as an research team start such scans- Though the targets have an option to blacklist the source. There should be a "do not scan for research" list where the target have a choice to add themselves to the list so that there are eliminated from such research activities - This is just a thought which in felt - Should be shared.
These guys tried me back in November, I blocked them. Screw 'em.

Speaking of posing as a research team, I still get "GET /w00tw00t.isc.sans.dfind :)" probes from people.
Looking at their site this sentence, regarding thier app, made me cringe. "Note however, that the live notary is not beyond PoC status at the moment - meaning the code works, but very little attention has been paid to security."
Yeah. I see that they've scanned us 'cos they're now blocked - upon any kind of scan being detected an automatic block occurs. I dunno - this seems like an example of idiot -> idiot mapping.

I don't care who the scanner is. Scans are not socially acceptable Internet behavior.
What I fail to understand is the lack of a good Access Control List on the Edge Router and past that, the firewall. If the policy of allow permitted hosts/networks is followed, and deny everything else, the only thing a SSH scan will show in router logs is DENIED, with no information being given to scanners (automated or otherwise).

Auto-Blocking stuff is nice, but IMO, it's much easier not to allow them access from the beginning.
I believe the point to "blocking" is not to keep them from attacking closed ports, like SSH, but to keep them from trying to exploit other things.

In my network, for example, I block someone that I see doing a portscan, or other scanning activity because I think they may then escalate things into other attacks, such as web application exploits. Or at the very least, it may keep them from finding an actual vulnerability in some other service that I allow.

Once the IP of the scanner is added to my blacklist they will not be able to even get to legitimate services that I offer to the general public, like my email and web apps.
In my Kippo logs from September 2012:

[me@1 log]$ grep 188\.95\.234\.6 *
kippo.log.315:2012-09-09 17:46:55+0000 [kippo.core.honeypot.HoneyPotSSHFactory]
New connection: 188.95.234.6:44440 (sanitized:22) [session: 7]
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] Remote SSH version: SSH-2.0-OpenSSH_6.1 This is a routine measurement by the TU Munich
. See: http://bozen.net.in.tum.de
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] outgoing: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] incoming: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] NEW KEYS
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] starting service ssh-userauth
kippo.log.315:2012-09-09 17:46:56+0000 [SSHService ssh-userauth on HoneyPotTransport,7,188.95.234.6] root trying auth none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] connection lost
Hi everyone. Please note that we offer that you can get your IP ranges blacklisted, and we're happy to oblige to such requests.

Please also note that we use a non-existing authentication method, and do thus never send a password. There is no way we could get access to your systems. The only reason we send that authentication method is that we need to complete the handshake to find out which cipher has been chosen.

Concerning whether such scans are legit, I would like copy from a mail I have written to a SANS member:

We are a network measurement group. We do believe that active scans must be an integral part in understanding and improving the infrastructure of the Internet. In the end, everyone benefits from that (BTW, there is even an RFC on scanning for measurement purposes). As an example of how improvement is possible, I would like to point out our paper (but also the work of the EFF and others) that documents how poorly SSL/X.509 is deployed:

http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf

We hope to document SSH in a similar way. And frankly, from what we can see in our scans, there are a few oddities that need documentation.

We believe that we can contribute to overall security with our scans. If you feel inconvenienced by them, please accept our apologies.
@nekton: We have since changed our scanner - in fact, it was different for every scan.
@hcbhatt: I like your idea of a public blacklist "do not scan for research". I'll try and distribute it in the measurement community. Thanks!

Diary Archives