Alert! Brute-Force SSH Attacks Rampant in the Wild: New Study From 427 Million Failed SSH Login Attempts

A comprehensive four-year study of brute-force attacks against SSH servers has revealed an alarming increase in the frequency and sophistication of these cyber attacks on internet-connected systems.

The research by scientists at the University of Utah provides unprecedented insight into the evolving tactics used by attackers attempting to gain unauthorized access to servers, routers, IoT devices and more.

“SSH brute-force attacks are not only persistent, but are rapidly growing more aggressive,” said Sachin Kumar Singh, a PhD student who led the study. “Our data shows the daily number of attack attempts is skyrocketing, especially in recent years.”

The researchers analyzed over 427 million failed SSH login attempts across more than 500 servers on CloudLab, a public cloud platform used by academic researchers worldwide. Their findings paint a sobering picture of the modern cybersecurity landscape.

Shifting Targets

While attackers have historically focused on guessing common administrator usernames like “root” and “admin”, the study found a notable shift in recent years.

Cyber criminals now heavily target usernames associated with cloud service images, network devices, IoT products and specific software packages

“Attackers are going after usernames for everything from internet routers and database servers to gaming software and Linux distributions intended for cloud use,” explained Singh.

“They are trying to compromise a wide range of devices and services connected to the internet.”

The researchers identified spikes in attacks on certain usernames and devices immediately following public disclosures of related vulnerabilities, suggesting attackers rapidly operationalize new exploits.

Are you from the SOC and DFIR Teams? – Analyse linux Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Persistent and Evolving Threats

Beyond changes in targeted usernames, the data revealed a wide diversity of attacker behaviors and persistence levels.

While over half of the attacks came from IP addresses that disappeared within 24 hours, some attackers persisted in their efforts for months or even years.

Certain attackers attempted just a handful of usernames, while others cycled through thousands of different combinations. The study also uncovered groups of attackers sharing identical lists of usernames across multiple IP addresses, indicating coordination.

“The brute-force attack landscape is highly dynamic,” said Robert Ricci, a research professor at the University of Utah who oversaw the study. “Attackers constantly adapt their tactics based on new intelligence and vulnerabilities. Defending against these threats requires advanced, evolving defensive measures.”

A Novel Defense

The researchers developed a defensive technique called Dictionary-Based Blocking (DBB) to counter the onslaught. By analyzing the username dictionaries used by attackers, DBB can block 99.5% of brute-force attacks while allowing legitimate user access.

When evaluated against the industry-standard Fail2ban tool, DBB achieved significantly higher blocking rates while reducing false positives by 83%. The researchers have deployed DBB on CloudLab, which prevents four out of five previously unblocked attacks.

“Dictionary-Based Blocking represents a new frontier in defending against brute-force attacks,” said Singh. “It could be a game changer for protecting critical infrastructure and internet services from these persistent threats.”

The research highlights the importance of secure practices like using key-based authentication and strong passwords. As attackers grow increasingly tenacious and innovative, novel defensive approaches will be essential to maintaining a safe internet ecosystem.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.