bsdly.net logo The network should be invisible
The network should be noise free
Sandviksveien 32
NO-5036 Bergen
Tel: +47 9807 1263
Email bsdly@bsdly.net

bsdly.net - The Hail Mary Cloud Data

Regular readers of my blog over at http://bsdly.blogspot.com will recognize the term "Hail Mary Cloud", also known as the slow bruteforcers. The online columns (or syndicated versions thereof) may contain references to specific files on this server. However, I urge anybody who is interested in studying the data to either download the complete dataset as a .zip file (approx. 26MB) or use the table below to dive into the files online.

My overview article The Hail Mary Cloud And The Lessons Learned contains some discussion, links to all data as well as to the original (field notes) articles.

A recent ACM Conference on Computer and Communication Security paper, "Detecting stealthy, distributed SSH brute-forcing," penned by Mobin Javed and Vern Paxson, references a large subset of the data and offers some real analysis, including correlation with data from other sites (Spoiler alert: in some waves, almost total overlap of participating machines). One interesting point from the paper is that apparently attack matching our profile were seen at the Lawrence Berkeley National Laboratory as early as 2005.

And in other news, it appears that GitHub has been subject to an attack that matches the characteristics we have described. A number of accounts with weak passwords were cracked. Investigations appears to be still ongoing. Fortunately, GitHub appear to have started offering other authentication methods.

The Waves We Saw, 2008 - 2012
We saw eight sequences (complete list of articles in the References section at the end of overview article The Hail Mary Cloud And The Lessons Learned),

From - To AttemptsUser IDsHostsSuccessful Logins
2008-11-19 15:04:22 - 2008-12-30 11:09:0329916610011930
2009-04-07 03:56:25 - 2009-04-12 21:01:371264124911040
2009-09-30 21:15:36 - 2009-10-15 13:42:079998110710
2009-10-28 23:58:35 - 2010-01-22 09:56:2444513811041580
2010-06-17 01:55:34 - 2010-08-11 13:23:0123014388755680
2011-10-23 04:13:00 - 2011-10-29 05:40:0747739443380
2011-11-03 20:56:18 - 2011-11-26 17:42:19490724742520
2012-04-01 12:33:04 - 2012-04-06 14:52:1147571081230

Conditions for use of the data: The data collected here (as well as the data available via references in the online coluumns) can be used freely for analysis and study and may be re-published in such contexts, as long as proper source attribution is used. An example of such attribution is: data collected by Peter N. M. Hansteen (peter@bsdly.net). For other use or more extensive assistance, please contact me for specific arrangements.


Follow Peter N. M. Hansteen on twitter: Follow me on Twitter