We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of ∼17M login attempts originating from 112 different countries and over 6K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.

Additional Metadata
Persistent URL dx.doi.org/10.1007/978-3-319-29938-9_6
Abdou, A. (AbdelRahman), Barrera, D. (David), & Van Oorschot, P. (2016). What lies beneath? Analyzing automated SSH bruteforce attacks. doi:10.1007/978-3-319-29938-9_6