Originally Posted by SlowCoder
Why do most SSH attacks seem to come from Asian countries?
Looking at http://www.internetworldstats.com/stats.htm
you see that right now Asia has the most netizens, followed by Europe and Northern America in third place. So by total amount of users the chance it's a scan from Asia should be much higher, and your experience correlates (for now) with http://www.mynetwatchman.com/LIS.asp?Queue=HBRD
(select incident reports, "Largest Incidents 7 Days").
Changing scope, a different spread is shown however in the historical view of http://www.incidents.org/country.html
(select all countries, port 22, date 2004), http://www.shadowserver.org/wiki/pmw...cations#tables
and Honeynets in other locations like http://www.honeypots-alliance.org.br/stats/flows/cc/
(Top Source Country Codes) and http://www.honeynet.cz/?mmenu=statis...ang=en&vmetr=1
(top 10 countries biggest number of attacks). While it is third in the internetworldstats you see it appears Northern America being responsable for a large, and in some places largest, portion of scans. BTW you should also notice that for instance http://www.juniper.net/security/honeypot/
doesn't even mark TCP/22 as the most scanned port anymore. Most previously mentioned sources agree.
While there are people who scan whole class A networks from their own machines I doubt most (semi-) professional teams do that. And since obviously the most common practice is to use subverted machines as gateways you cannot determine who's behind it unless the scanner makes a mistake or gets trapped in a honeypot. Even then chances are you only have the puppet and not the master (http://ddanchev.blogspot.com/
, anything RBN-related or botnet stats on shadowserver.org). After all the 'net is a twentyfour-slash-seven business and you could well field any amount of teams across TZs to do the work for you.
I would dig the ClippyOS remark if it made sense in terms of power, efficiency (automated activity) or monetary value, but I think a large portion of scanners are not ClippyOS-based but using GNU/Linux ("follow the money", virus activity, malware, next to ddanchev also see http://honeynet.org.au/?q=node/16
). GNU/Linux usage would be easier to explain since next to open proxies and full-out frontal compromises there's a lot of misconfiguration that causes easy entry. If you wade through lists of IPs from Asia you should frequently find ISP, university and company MTA's, DNSes, gateways and whatnot. While misconfiguration is not typically something only Asia suffers from, it's clear they continue to suffer from structural problems throughout their whole chain ranging from APNIC being in constant upheaval, CERTs being powerless, ISPs not caring or unable to communicate with to ISPs, institutes, companies and home users using outdated software and not adhering to any best practices.
So, in kinda "executive overview"-stylee that would be IMHO:
A: Depending on view not even in the top-10.
Q: Asia only?
A: No. Stats show it depends on location.
Q: Asia "more evil" or active compared to say Northern America?
A: No. Stats show definately not.
REM Anyone seeing anything to correct: BMG.