CAUDIT: Continuous Auditing of SSH Servers To Mitigate Brute-Force Attacks

Phuong Cao¹, Yuming Wu¹, Subho Banerjee¹, Justin Azoff^2,3, Alex Withers³, Zbigniew Kalbarczyk ¹, Ravishankar Iyer¹,

¹ University of Illinois at Urbana-Champaign, ²Corelight, ³National Center for Supercomputing Applications

In USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2019

Abstract

This paper describes CAUDIT, an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. CAUDIT is a fully automated system to enable the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. Its key features includes: 1) a honeypot for attracting SSH-based attacks over a /16 IP address range and extracting key-metadata (e.g., source IP, password, SSH-client version, or -key) from these attacks; 2) executing audits on the live production network by replaying attack attempts recorded by the honeypot; 3) using the IP addresses recorded by the honeypot to block SSH attack attempts at the network border using a Black Hole Router (BHR) while significantly reducing the load on NCSA's security monitoring system; and 4) informing peer sites of attack attempts in real-time to ensure containment of coordinated attacks. The system is composed of existing techniques with custom-built components, and its novelty is to execute at a scale that has not been validated earlier (thousands of nodes and tens of millions of attack attempts per day). Experience over 463 days shows that CAUDIT successfully blocks an average of 57 million attack attempts on a daily basis using the proposed BHR. This represents a 66x reduction in the number of SSH attempts compared to the daily average and has reduced 78% of the traffic to the NCSA internal network-security-monitoring infrastructure.

For more information check out our paper or slides from NSDI'19

Name	Language	URL
SSH authentication logger	Golang	https://github.com/ncsa/ssh-auth-logger
SSH auditor	Golang	https://github.com/ncsa/ssh-auditor
Black Hole Router	Python	https://github.com/ncsa/bhr-site
Flow shunting	Python	https://github.com/ncsa/dumbno
Alert-sharing network	Python, Golang	https://git.ncsa.illinois.edu/awithers/sdaia

Primary Datasets

SSH attack attempts: We collected 405,352,245 SSH attack attempts from 4,035,975 unique source IP address during Feb 2017 - May 2018. There were 159 unique SSH client key fingerprints, 171 unique SSH client versions, 3,214 unique usernames, and 95,989 unique passwords.
Correlation with haveibeenpwnd database: We correlated the passwords used in attack attempts with a snapshot of the HIBP password dataset (5B passwords as of Sep 2018) to identify personalized passwords.

-->

Name	Type	Size	Format	SHA-256 Hash (Compressed)	Labels
SSH attack attempts (sample)	gzipped json	296 KB	README	Show `#`	SSH

A sample of scripts used to process the datasets, analyze the processed datasets, and produce some of the plots in our NSDI'19 paper can be downloaded from https://github.com/pmcao/caudit.

If you have any questions, comments or concerns, or if you're interested in using our data in your research, please email Phuong Cao!