The primary objective of the SISSDEN project is to offer National CERTs, ISPs and network owners free reports on malicious activity detected on their networks. This is achieved through the establishment of a network of honeypots. One of these honeypot type sensors is dedicated towards detecting SSH and telnet based attacks against network devices. These attacks typically involve brute forcing credentials to obtain access. Once access has been obtained the devices are used for other attacks, which may involve installing malicious software that enables the device to be part of a botnet, for example like the well-known Mirai botnets used for launching DDoS attacks. Hacked devices may also be used to launch scans for further vulnerable Internet devices. In other cases, successful breaches of networking devices may result in attempts at financial theft by inserting rogue DNS server entries into a home router's network configuration, thus making a home network user susceptible to phishing attacks by redirecting traffic to malicious webpages.
Brute force attacks are detected by SISSDEN and will be reported to owners of the network from which these attacks originate (or the responsible National CERTs) through Shadowserver's existing free of charge reporting system. The following table gives an overview of the information found in the Brute Force Attack report:
Field | Description |
timestamp | Time that the attack was performed in UTC+0 |
ip | The IP address performing the attack |
port | The source port used in the attack |
asn | ASN announcing the attacking IP |
geo | Country where the attacking IP resides |
region | State / Province / Administrative region where the attacking IP resides |
city | ASN of where the attacking IP resides |
hostname | PTR record of the attacking IP |
dest_ip | Country where the device in question resides |
dest_port | Destination port used in the attack |
dest_asn | ASN announcing the target IP |
dest_geo | Country where the target IP resides |
dest_dns | FQDN of the target, if applicable and recorded |
service | The type of service that was attacked, i.e. SSH, RDP, Telnet, etc |
naics | North American Industry Classification System Code of the attacking IP |
sic | Standard Industrial Classification System Code of the attacking IP |
dest_naics | North American Industry Classification System Code of the target IP |
dest_sic | Standard Industrial Classification System Code of the target IP |
sector | Sector the attacking IP belongs to |
dest_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
start_time | Timestamp of last activity seen in the attack |
end_time | Timestamp of last activity seen in the attack |
client_version | The version string served by the attacker, if applicable and recorded |
username | The first username that was attempted, if recorded |
password | The first password that was attempted, if recorded |
payload_url | If a payload was downloaded onto the target, the URL where the payload was downloaded from, if recorded |
payload_md5 | The md5sum of the payload downloaded onto the target, if recorded. |
The reports are currently being tested on a trial basis and will increase in scale once the SISSDEN network is built up. Signing up for these reports and others will be possible through the SISSDEN customer portal. A full description of the Shadowserver reporting system that will be used for SISSDEN can be found at Shadowserver's reports page. All existing and future users of Shadowserver reports will automatically also receive these reports. Stay tuned for more updates soon!