|The network should be invisible
The network should be noise free
Tel: +47 9807 1263
Regular readers of my blog over at http://bsdly.blogspot.com will recognize the term "Hail Mary Cloud", also known as the slow bruteforcers. It is conceivable that I will be writing about the phenomenon again later, in the meantime I will be publishing data as I accumulate it here.
Note: You can find my May 17 2013 BSDCan presentation about the Hail Mary Cloud here, with links to the complete data set. Also worth noting is that the presentation and data are on a host with much better connectivity than this one.
Data in various forms are available via references from the online columns, unfortunately not all of it quite complete. However, for the November 2009 episode I did keep complete data around as well as some extracts generated by a simple but useful script. The four varieties I generate are:
November 2009: Raw log data, with 3-4 lines per attempt
On June 17th, 2010, a new round started, generating some further data (same file names, different directory):
June 2010: Raw log data, with 3-4 lines per attempt
Update 2010-08-07: The attempts are still going on. After a few quiet days just around August 1st, they're back now, with what appears to be a new set of machines, pretty much doubling the number of hosts in the June sample more or less overnight. I will keep on extracting data here at semi-random intervals (likely once per day if not more frequently).
Update 2011-10-23: During the early hours of October 23rd, 2011, what appears to be a new round of distributed password guessing started, generating yet another set of data (once again the same file names, but in a different directory):
October 2011: Raw log data, with 3-4 lines per attempt
[Update 2011-10-29: The last attempt in this sequence appears to have been at 2011-10-29 05:40:07 CEST. If any further activity occurs, I'll publish data as I collect it. ]
Update 2011-11-06: The October round ended October 29th, but the attempts restarted soon, what could be the earliest attempts at root appear in the logs below starting November 3rd. As usual, I'll be updating the files here at intervals.
November 2011: Raw log data, with 3-4 lines per attempt
Update 2011-11-20: The November 2011 round paused for a while, stopping on November 9th. However, distributed attempts restarted on Novermber 18th. I'm not sure whether it's useful to treat the two November 2011 sequences as separate or parts of the same, so for now I've made two versions of the data available: The November 18 onwards sequence only as well as a combined version:
18 November 2011 onwards: Raw log data, with 3-4 lines per attempt
November 2011, combined: Raw log data, with 3-4 lines per attempt
Expect updates to these files at semi-random intervals, once per day or thereabouts.
Update 2012-04-06: An episode that occured from April 1st through April 2nd, 2012 may be an indication of developments along the same lines. Log data available here:
1 April 2012 onwards: Raw log data, with 3-4 lines per attempt
Conditions for use: The data collected here (as well as the data available via references in the online coluumns) can be used freely for analysis and study and may be re-published in such contexts, as long as proper source attribution is used. An example of such attribution is: data collected by Peter N. M. Hansteen (firstname.lastname@example.org). For other use or more extensive assistance, please contact me for specific arrangements.