TY - GEN
T1 - CAUDIT: Continuous auditing of SSH servers to mitigate brute-force attacks
AU - Cao, Phuong M.
AU - Wu, Yuming
AU - Banerjee, Subho S.
AU - Azoff, Justin
AU - Withers, Alexander
AU - Kalbarczyk, Zbigniew T.
AU - Iyer, Ravishankar K.
N1 - Funding Information:
We thank the NCSA security team, students participated in the SDAIA project, and the partnering sites for supporting CAUDIT operational deployment; DEPEND group members, anonymous reviewers, and our shepherd, Prof. Vyas Sekar, for providing valuable feedback; and Ms. Jenny Applequist for proofreading. This material is based upon work supported by the National Science Foundation under Grant No 1535070,1547249. The opinions, findings, and conclusions stated herein are those of the authors and do not necessarily reflect those of the sponsors.
Publisher Copyright:
© 2019 by The USENIX Association. All Rights Reserved.
PY - 2019
Y1 - 2019
N2 - This paper describes CAUDIT1, an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. CAUDIT is a fully automated system that enables the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. Its key features include: 1) a honeypot for attracting SSH-based attacks over a /16 IP address range and extracting key meta-data (e.g., source IP, password, SSH-client version, or key fingerprint) from these attacks; 2) executing audits on the live production network by replaying of attack attempts recorded by the honeypot; 3) using the IP addresses recorded by the honeypot to block SSH attack attempts at the network border by using a Black Hole Router (BHR) while significantly reducing the load on NCSA's security monitoring system; and 4) the ability to inform peer sites of attack attempts in real-time to ensure containment of coordinated attacks. The system is composed of existing techniques with custom-built components, and its novelty is its ability to execute at a scale that has not been validated earlier (with thousands of nodes and tens of millions of attack attempts per day). Experience over 463 days shows that CAUDIT successfully blocks an average of 57 million attack attempts on a daily basis using the proposed BHR. This represents a 66× reduction in the number of SSH attempts compared to the daily average and has reduced the traffic to the NCSA's internal network-security-monitoring infrastructure by 78%.
AB - This paper describes CAUDIT1, an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. CAUDIT is a fully automated system that enables the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. Its key features include: 1) a honeypot for attracting SSH-based attacks over a /16 IP address range and extracting key meta-data (e.g., source IP, password, SSH-client version, or key fingerprint) from these attacks; 2) executing audits on the live production network by replaying of attack attempts recorded by the honeypot; 3) using the IP addresses recorded by the honeypot to block SSH attack attempts at the network border by using a Black Hole Router (BHR) while significantly reducing the load on NCSA's security monitoring system; and 4) the ability to inform peer sites of attack attempts in real-time to ensure containment of coordinated attacks. The system is composed of existing techniques with custom-built components, and its novelty is its ability to execute at a scale that has not been validated earlier (with thousands of nodes and tens of millions of attack attempts per day). Experience over 463 days shows that CAUDIT successfully blocks an average of 57 million attack attempts on a daily basis using the proposed BHR. This represents a 66× reduction in the number of SSH attempts compared to the daily average and has reduced the traffic to the NCSA's internal network-security-monitoring infrastructure by 78%.
UR - http://www.scopus.com/inward/record.url?scp=85068741826&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85068741826&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85068741826
T3 - Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019
SP - 667
EP - 682
BT - Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019
PB - USENIX Association
T2 - 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019
Y2 - 26 February 2019 through 28 February 2019
ER -