Location-Based Dictionary Attacks
I get daily security reports from the hosts I manage. Typically these contain invalid user attempts for users like guest, www, and root. (Although FreeBSD doesn't allow remote logins for root, I was surprised to find out that many Linux distributions allow them.)
Today's log surprised me, because it contained only Greek names. Here is an excerpt from the log.
Aug 1 00:19:42 istlab sshd: Invalid user achaikos from 22.214.171.124 Aug 1 00:19:45 istlab sshd: Invalid user achilleus from 126.96.36.199 Aug 1 00:19:48 istlab sshd: Invalid user actaeon from 188.8.131.52 Aug 1 00:19:51 istlab sshd: Invalid user acteon from 184.108.40.206 Aug 1 00:19:55 istlab sshd: Invalid user adelpha from 220.127.116.11 Aug 1 00:19:58 istlab sshd: Invalid user adelphe from 18.104.22.168 Aug 1 00:20:01 istlab sshd: Invalid user adelphie from 22.214.171.124 Aug 1 00:20:04 istlab sshd: Invalid user adonia from 126.96.36.199 Aug 1 00:20:08 istlab sshd: Invalid user adonis from 188.8.131.52 Aug 1 00:20:11 istlab sshd: Invalid user adrasteia from 184.108.40.206 Aug 1 00:20:14 istlab sshd: Invalid user adrastos from 220.127.116.11The attack came from a Hong-Kong-based machine, and the list contained many exotic names while also missing many common ones. Therefore, I doubt that this was a local attack. A Google search revealed that the name list was obtained by merging male Greek names and female Greek names from http://www.20000-names.com. Most probably an attack tool contains lists of names for specific countries (the same site also provides, African, Chinese, English, French, German, Hebrew, Irish, Italian, Japanese, Polish, Spanish, and Welsh names). The tool also maps the IP address of the host it attacks to a specific country, for instance, through the geolocation data of the IP-to-Country databases. Finally, the attack tool uses the country-specific list for trying to log in to those accounts. Attackers seem to be getting more sophisticated with every passing day. Read and post comments, or share through