A week or so ago I created a SSH tarpit in Golang -
https://github.com/bentasker/Golang-SSH-Tarpit
I've had that running on a public connection since, so it'd be interesting to analyse the logs and see what behaviour's observed.
In particular
- Do tarpitted clients all seem to have sane timeouts configured?
- What country is the worst offender?
- Any other interesting patterns?
Activity
2021-01-12 11:58:09
Extracting logs:
Log start and end date
So that's 8 days
How many entries?
So, on average, that's a rate of 1818 day / 76 hour going into the tarpit
5 shortest tarpit durations
5 longest
41456 seconds is just a little under 12 hours.
Those figures, of course, ignore any connections currently still stuck in the tarpit. Lets see how many of those there are, and when they connected
ben@PIHRP1:~ $ for victim in `cat tarpit_log.log | grep Tarpitting | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\:[0-9]\{1,5\}'` > do > > grep "Coward disconnected: $victim" tarpit_log.log > /dev/null > if [ "$?" == "1" ] > then > # Disconnect not found > echo $victim > fi > > done 221.181.185.220:62081 221.131.165.119:63232 221.181.185.19:45169 221.181.185.135:28917 ben@PIHRP1:~ $ egrep -e '221.181.185.220:62081|221.131.165.119:63232|221.181.185.19:45169|221.181.185.135:28917' tarpit_log.log | grep -o -P "2021/[0-9]+/[0-9]+" 2021/01/12 2021/01/12 2021/01/12 2021/01/12How many unique IPs are there
ben@PIHRP1:~ $ grep Tarpit tarpit_log.log | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > ip_list.txt ben@PIHRP1:~ $ cat ip_list.txt | sort | uniq | wc -l 527How many distinct
ben@PIHRP1:~ $ cat ip_list.txt | sort | awk -F'.' -v OFS=. '{print $1,$2,"0.0/16"}' | uniq -c | wc -l 290What countries?
ben@PIHRP1:~ $ for ip in `cat ip_list.txt` > do > geoiplookup $ip | grep -o "[A-Z][A-Z]," > > > done | sort | uniq -c | sort -nr 3162 VN, 1619 CN, 1449 BR, 1428 IN, 1175 TH, 1011 ID, 436 RU, 426 GB, 404 US, 304 DE, 301 TR, 301 MY, 301 KZ, 301 AZ, 299 DO, 294 EG, 292 SA, 290 ZA, 284 BD, 165 GH, 124 BE, 22 SG, 22 NL, 17 JP, 13 FR, 6 CA, 5 IT, 5 BG, 4 KR, 4 HK, 4 AU, 3 MD, 2 VI, 2 UA, 2 SI, 2 SE, 2 SC, 2 GG, 1 RS, 1 PY, 1 MA, 1 LA, 1 HU, 1 GR, 1 ES, 1 EC,So, Vietnam is by far the worst offender.
2021-01-12 12:14:08
We've seen that there are bots out there that don't have client-side timeouts configured, and get stuck in the tarpit for quite a while.
We've also seen that the majority of tarpitted clients geolocate to Vietnam, but - is that true for the majority of poorly configured clients?
Taking a sample of the 1000 longest tarpits.
The shortest/longest tarpit duration was
Country distribution:
for ip in `grep Coward tarpit_log.log | sort -n -k 6 | tail -n 1000 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ` do geoiplookup $ip | grep -o "[A-Z][A-Z]," done | sort | uniq -c | sort -nr 1000 CN,Ok, what if we switch it around to be anything longer than 60s?
for ip in `grep Coward tarpit_log.log | awk -F' ' '{if ($6 > 60) print $0}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ` do geoiplookup $ip | grep -o "[A-Z][A-Z]," done | sort | uniq -c | sort -nr 1548 CN, 26 TH, 22 US, 20 RU, 17 VN, 15 EG, 7 BR, 6 BD, 2 ID, 1 ZA, 1 TR, 1 BG,The share of connections from
Much the same if we adjust down to 20s
ben@PIHRP1:~ $ for ip in `grep Coward tarpit_log.log | awk -F' ' '{if ($6 > 20) print $0}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' `; do geoiplookup $ip | grep -o "[A-Z][A-Z]," ; done | sort | uniq -c | sort -nr 1570 CN, 69 RU, 50 VN, 41 US, 35 TH, 28 BR, 23 EG, 19 BD, 17 ID, 10 IN, 7 GB, 6 DO, 3 TR, 3 AZ, 2 ZA, 2 MY, 2 KZ, 2 GH, 1 SG, 1 SE, 1 SC, 1 SA, 1 RS, 1 MA, 1 ES, 1 DE, 1 BG, 1 BE,So, based on this (admittedly, relatively small) sample:
- You're most likely to see connections from Vietnam
- However, if the client is poorly configured it's statistically more likely to originate from China than Vietnam
2021-05-26 08:45:22
2021-05-26 08:45:22
2021-05-26 08:45:29