Network Attackers: Where In The World

Let’s have a look at who’s been trying to break into SSH service on my development server recently, and where in the world they’re attacking from. Since I implemented fail2ban to trap out these attempted dictionary attacks, it’s logged the network addresses of all the culprits. Here’s who got caught in recent activity:

2009-07-06 19:41:21,425 fail2ban.actions: WARNING [ssh] Ban
2009-07-08 13:48:43,565 fail2ban.actions: WARNING [ssh] Ban
2009-07-10 10:59:36,625 fail2ban.actions: WARNING [ssh] Ban
2009-07-14 00:12:49,866 fail2ban.actions: WARNING [ssh] Ban
2009-07-16 05:14:16,456 fail2ban.actions: WARNING [ssh] Ban
2009-07-17 01:34:32,566 fail2ban.actions: WARNING [ssh] Ban
2009-07-17 06:47:01,616 fail2ban.actions: WARNING [ssh] Ban
2009-07-21 04:22:42,195 fail2ban.actions: WARNING [ssh] Ban
2009-07-21 06:33:19,415 fail2ban.actions: WARNING [ssh] Ban
2009-07-25 00:26:18,623 fail2ban.actions: WARNING [ssh] Ban
2009-07-26 00:20:16,743 fail2ban.actions: WARNING [ssh] Ban
2009-07-27 22:43:14,553 fail2ban.actions: WARNING [ssh] Ban
2009-07-28 13:54:37,653 fail2ban.actions: WARNING [ssh] Ban
2009-07-29 01:52:28,733 fail2ban.actions: WARNING [ssh] Ban
2009-07-29 19:41:58,923 fail2ban.actions: WARNING [ssh] Ban
2009-07-30 13:39:40,597 fail2ban.actions: WARNING [ssh] Ban
2009-08-01 09:57:49,727 fail2ban.actions: WARNING [ssh] Ban
2009-08-02 06:38:09,777 fail2ban.actions: WARNING [ssh] Ban
2009-08-02 14:47:14,147 fail2ban.actions: WARNING [ssh] Ban
2009-08-07 23:35:22,597 fail2ban.actions: WARNING [ssh] Ban
2009-08-12 20:06:36,877 fail2ban.actions: WARNING [ssh] Ban
2009-08-13 19:01:42,967 fail2ban.actions: WARNING [ssh] Ban
2009-08-13 22:27:14,007 fail2ban.actions: WARNING [ssh] Ban
2009-08-14 01:32:15,057 fail2ban.actions: WARNING [ssh] Ban
2009-08-14 09:31:25,117 fail2ban.actions: WARNING [ssh] Ban
2009-08-16 12:12:31,627 fail2ban.actions: WARNING [ssh] Ban
2009-08-20 19:50:08,877 fail2ban.actions: WARNING [ssh] Ban
2009-08-22 12:20:31,127 fail2ban.actions: WARNING [ssh] Ban

That’s 28 attacks over the course of 48 days, originating from 26 different hosts (two were repeat offenders).

Digging through the regional Whois registries, we can discover the geographic locations of the network segments on which these remote IP addresses were assigned, and the names of the network operators:

IP address        Registry    Registrant, Location      RIPE        Bielany Wroclawskie, Warsaw, Poland    RIPE        Polgarhaz Holding Kft., Budapest, Hungary    APNIC       Netli.lic., Hangzhou, China    APNIC       China Telecom, Fujian Province, China     RIPE        Joint Stock Company Svyazist, Kstovo, Russia      RIPE        Inest Hosting, Szeged, Hungary    APNIC       China Telecom, Shanghai Province, China    RIPE        IP Exchange GmbH, Nuremberg, Germany     LACNIC      MegaCable SA de CV, Guadalajara, Mexico     APNIC       China Telecom, Shanghai Province, China      RIPE        2Connect WLL, Manama, Bahrain     ARIN        ATX Telecom Services, King Of Prussia, PA, USA    APNIC       China Telecom, Guangdong Province, China       APNIC       Beijing Primezone Technologies, Beijing, China       RIPE        Tendensia SRL, Castellaneta, Italy      RIPE AG, Brugg, Switzerland    ARIN        Slicehost LLC, St. Louis, MO, USA      APNIC       Reliance Communications Ltd, Mumbai, India    APNIC       China Telecom, Hunan Province, China    RIPE        Sia "Pronets", Riga, Latvia      ARIN        Verizon DSL, San Fernando, CA, USA   APNIC       Jin'Ou Building, Beijing, China      RIPE        SU29 Telecom, Moscow, Russia   APNIC       China Telecom, Hubei Province, China    APNIC       Ningbo Education Science Ctr, Zhejiang, China      APNIC       TATA Communications, Mumbai, India

The named registrants are network owners and operators, usually local ISPs, who of course represent non-complicit intermediaries and not the attackers themselves. But these records do accurately reflect the geographic locations of the remote hosts from which the intrusion attempts originated. The listed country, at a minimum, is very reliable; IP geolocation by country with Whois should be over 95% accurate.

SSH Scans by Region

There’s no mistaking that these attacks tend to originate from China and the former Soviet bloc. These areas are home to bustling cybercrime industries. Attackers seek to expose financial accounts presumed stored on servers, or to commandeer staging grounds for use in the infiltration of other lucrative targets.

This is just a tiny sample of all attack activity, being just one sensor on one port, on one host, on one network segment of the great wide internet that hackers direct their tools against. Attacks of this type and others, many of which are much more commonplace than SSH scans, originate from this same geographical profile.

How are you defending your network and data from these threats? Do you know about techniques for reducing your exposure? Let’s talk.


fail2ban Homepage

Wikipedia: WHOIS

ARIN Whois Lookup

APNIC Whois Lookup

RIPE Whois Lookup

LACNIC Whois Lookup

China: Hacker Schools Become Big Business

China View: Training for hackers stirs worry about illegal actions

BlackHat USA 2009: Russian’s Organized Crime Heritage Paved Way For Cybercrime

Leave Comment

Your email address will not be published. Required fields are marked *