Attack now
Attacks to date

2017-06-16 22:23:25

Author: Willie Stevenson

ssh attacks threat detection threat mitigation

Back in March of last year I wrote about a whopping 1M SSH attacks within 3 months time on my New York based VPS from Digital Ocean, many of which came from infected public facing routers, servers, and other devices. By collecting data from these attacks, although only having a single probe, it enables us to guesstimate a real-time view of SSH attacks on the internet's infrastructure.

Threat Detection

Livesshattack's data is stored in real-time and has the ability to be filtered and queried to retrieve specific statistics. It's especially beneficial to view this data over time to show how parts of the internet and areas of continents fall victim or how resilient others are.

7.6 Million ssh attacks over ~1.5 years

Origin and distribution of 1.5 years of ssh attacks

Having a real-time map of SSH attacks as they unfold allows for detection of threats visually and the creation of firewall policies to be generated on the fly. Analyzing visual data and the automatic creation of security policies allow for efficient mitigation of threats and quick repairs to system identity problems such as usernames and passwords. Of course, one of the best courses of action is a cross between white-listing (deny all, allow x) and only allowing authentication with ssh keys, however this research is strictly to mine trends out of collected data and therefore neither are used.

For example, ssh attempts from China based regions seem to occur in a largely fixed amount on a daily basis (usually in the form of dictionary attacks), with some additional outliers. At the time of writing, approximately ~29% of all ssh traffic has come from AS134764 (network) alone, which is operated by CHINANET. However, when ssh attempts spike out from the heart of Europe, or the US, this usually indicates a bigger and potentially more hazardous issue.

7.6 Million ssh attacks over ~1.5 years

Origin and distribution of 1.5 years of ssh attacks by IP occurrence

Sitting on one of Digital Ocean's nodes on their network makes it easy to correlate what may be happening to other nodes in the same node-cluster or even Digital Ocean's local ISP.

After spinning up a temporary DO node in one of their other NY datacenters, leaving everything on default, and just waiting a bit we fall under attack.

auth.log of temp do-ny1 node

auth.log of temp do-ny1 node

The ability to look at these statistics and analytics data enables you to better protect yourself. More statistics can be found at graphs and leaderboards. Over time I plan to add new nodes, dimensions, apis, and other useful ways to visualize data on Let me know what you would like to see next.