What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of \(\sim \)17M login attempts originating from 112 different countries and over 6 K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.


Virtual Machine Hong Kong IPv4 Address Data Collection Methodology Password Authentication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank Hala Assal, Elizabeth Stobert, Mohamed Aslan, Raphael Reischuk, and the anonymous referees for insightful comments which have improved this paper.


  1. 1.
    Internet Storm Center - SSH Scanning Activity., September 13 (2015)
  2. 2.
    Nagios., September 13 (2015)
  3. 3.
    Country IP Blocks - Allocation of IP addresses by Country., September 13 2015
  4. 4.
    Alsaleh, M., Mannan, M., van Oorschot, P.C.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable, Secure Comput. (TDSC) 9(1), 128–141 (2012)CrossRefGoogle Scholar
  5. 5.
    Bergadano, F., Crispo, B., Ruffo, G.: High dictionary compression for proactive password checking. ACM Trans. Inf. Syst. Secur. (TISSEC) 1(1), 3–25 (1998)CrossRefGoogle Scholar
  6. 6.
    Bonneau, J., The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  7. 7.
    Chiasson, S., van Oorschot, P.C.: Quantifying the security advantage of password. Des. Codes Crypt. 77, 1–8 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: Fast Internet-wide scanning and its security applications. In: USENIX Security, August 2013Google Scholar
  9. 9.
    Florencio, D., Herley, C., Coskun, B.: Accomplish, do strong web passwords anything? In: USENIX HotSec, pp. 10:1–10:6 (2007)Google Scholar
  10. 10.
    Florencio, D., Herley, C., van Oorschot, P.C.: An administrators guide to internet password research. In: USENIX LISA (2014)Google Scholar
  11. 11.
    Hofstede, R., Hendriks, L., Sperotto, A., Pras, A.: SSH compromise detection using NetFlow/IPFIX. ACM SIGCOMM CCR 44(5), 20–26 (2014)CrossRefGoogle Scholar
  12. 12.
    IPinfo. IP Address Details -, September 13 (2015)
  13. 13.
    Javed, M., Paxson, V.: Detecting stealthy, distributed SSH brute-forcing. In: ACM CCS (2013)Google Scholar
  14. 14.
    Owens, J., Matthews, J.: A study of passwords and methods used in brute-force SSH attacks. In: USENIX LEET (2008)Google Scholar
  15. 15.
    Satoh, A., Nakamura, Y., Ikenaga, T.: Identifying user authentication methods on connections for SSH dictionary attack detection. In: IEEE Annual Computer Software and Applications Conference Workshops (COMPSACW) (2013)Google Scholar
  16. 16.
    Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden markov model modeling of SSH brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Thames, J.L., Abler, R., Keeling, D.: A distributed active response architecture for preventing SSH dictionary attacks. In: IEEE Southeastcon, pp. 84–89 (2008)Google Scholar
  18. 18.
    Ylonen, T.: SSH - Secure login connections over the internet. In: USENIX Security (1996)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Carleton UniversityOttawaCanada
  2. 2.ETH ZürichZürichSwitzerland

Personalised recommendations