Chris Wellons of nullprogram.com put together a great article on building “tarpits” to foil automated network attacks. In this example he shows his implementation of endlessh to trap attackers probing for open ssh servers.
From his article:
I’m a big fan of tarpits: a network service that intentionally inserts delays in its protocol, slowing down clients by forcing them to wait. This arrests the speed at which a bad actor can attack or probe the host system, and it ties up some of the attacker’s resources that might otherwise be spent attacking another host. When done well, a tarpit imposes more cost on the attacker than the defender.
The latest addition is an SSH tarpit I wrote a couple of months ago - Endlessh: an SSH tarpit.
Endlessh works by exploiting a feature in the SSH protocol that allows an endpoint to send “other data” before completing the SSH handshake. This would normally be used for custom commands or settings between server and client. In the tarpit case, however, this is used to delay the completion of the handshake indefinitely; trapping the client in an endless SSH connection setup.
We put together some captures showing the difference between a standard SSH connection and one that is being run through endlessh. Here’s a standard SSH session:
You can see the handshake proceed normally, and then encrypted session begins.
Here’s the session after it’s been run through endlessh:
You can see that the server never replies with it’s own identification string. Instead, it sends a random string to the client every 10 seconds. This prevents the handshake from completing; effectively trapping the bot, and preventing it from moving on to the next open ssh server.
Read his article for more detail on this server defense trick. Pretty cool!