Caudit: Continuous auditing of SSH servers to mitigate brute-force attacks

Phuong M. Cao, Yuming Wu, Subho S. Banerjee, Justin Azoff, Alexander Withers, Zbigniew T. Kalbarczyk, Ravishankar K. Iyer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

This paper describes CAUDIT1, an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. CAUDIT is a fully automated system that enables the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. Its key features include: 1) a honeypot for attracting SSH-based attacks over a /16 IP address range and extracting key meta-data (e.g., source IP, password, SSH-client version, or key fingerprint) from these attacks; 2) executing audits on the live production network by replaying of attack attempts recorded by the honeypot; 3) using the IP addresses recorded by the honeypot to block SSH attack attempts at the network border by using a Black Hole Router (BHR) while significantly reducing the load on NCSA's security monitoring system; and 4) the ability to inform peer sites of attack attempts in real-time to ensure containment of coordinated attacks. The system is composed of existing techniques with custom-built components, and its novelty is its ability to execute at a scale that has not been validated earlier (with thousands of nodes and tens of millions of attack attempts per day). Experience over 463 days shows that CAUDIT successfully blocks an average of 57 million attack attempts on a daily basis using the proposed BHR. This represents a 66× reduction in the number of SSH attempts compared to the daily average and has reduced the traffic to the NCSA's internal network-security-monitoring infrastructure by 78%.

Original languageEnglish (US)
Title of host publicationProceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019
PublisherUSENIX Association
Pages667-682
Number of pages16
ISBN (Electronic)9781931971492
StatePublished - 2019
Event16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019 - Boston, United States
Duration: Feb 26 2019Feb 28 2019

Publication series

NameProceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019

Conference

Conference16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019
CountryUnited States
CityBoston
Period2/26/192/28/19

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Caudit: Continuous auditing of SSH servers to mitigate brute-force attacks'. Together they form a unique fingerprint.

Cite this