SSH Security: Understanding Post-Login Threats and Non-Interactive Attacks
Non-interactive SSH attacks dominate post-login interactions, according to a study by Czech Technical University in Prague.
The Study’s Findings
Researchers from the Czech Technical University in Prague deployed eleven SSH honeypots across cloud servers in Frankfurt, Germany, for fifteen days in late May and early June. These honeypots recorded 177,622 authenticated sessions, all involving attackers who successfully bypassed initial authentication.
Non-Interactive Sessions Explained
Non-interactive sessions—where clients execute a single command and disconnect—accounted for 99.23% of total interactions. These sessions operate through a specific process: the client authenticates, issues a single command via an SSH exec request, and the server terminates the channel without allocating a terminal.
Methodology and Tools
The study utilized a modified version of the open-source tool AdvancedShelLM, which employs a large language model to generate realistic shell output. A locally hosted model managed most sessions, with two OpenAI models serving as backups. The backend system controlled the responses provided by the honeypots.
Reconnaissance and Testing Activities
The majority of traffic involves reconnaissance activities. The ten most frequent non-interactive commands accounted for 41.59% of traffic, primarily gathering basic system information. Commands like uname, which identifies the operating system and kernel, ranked highest.
Testing System Functionality
Researchers documented 2,178 sessions where attackers tested system functionality. One campaign sent a base64-encoded string for decoding, a process that produces a predictable result on a functional system. Others requested arithmetic operations, binary file dumps, or file creation and retrieval.
Evolving Tactics and Honeypot Challenges
A small number of sessions sought indicators of honeypot environments, such as checking for processes associated with Cowrie or kippo. These instances underscore the evolving tactics of threat actors. Researchers also scanned all sessions for prompt-injection attempts or references to AI models, finding no evidence of such activity.
Historical Trends
Historical data from CZ.NIC’s archive, spanning over 400 million sessions since 2017, shows non-interactive traffic has dominated since 2018. A notable increase occurred in October 2024, when non-interactive sessions rose to 97.4% in a single month.
Implications for Honeypot Design
The study emphasizes the need for honeypot designs to adapt to the prevalence of non-interactive attacks. Traditional engagement metrics, which prioritize engagement duration and command volume, may not capture the nuances of these rapid, automated interactions.
Recognizing non-interactive attack patterns enables analysts to categorize noise into broader campaigns, transforming thousands of short interactions into insights about underlying attack operations.
Conclusion
The dominance of non-interactive SSH attacks highlights the need for updated honeypot strategies. By focusing on detecting and analyzing these rapid interactions, security professionals can better understand and mitigate evolving threats.
