10

I recently put a Linux server online and it didn't take long until I had the first attempts to brute-force the SSH login. It's not that I am worried about that - I trust the security of my server. But just out of boredom I looked up some of the originating IP addresses and noticed that almost all of them were Chinese.

Why is it that so many cracking attempts originate from China?

Does China provide an environment which is favorable for cybercrime to bloom? Or are we actually dealing with people from other countries who just like to use botnet zombies from China? In any case: The Chinese government is known for its ability to censor the internet access for their people. Why don't they use that infrastructure to shut down the criminal activity originating from their network?

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 2
    I recall somewhere about 70%? of china's PC Operating system is XP and the chances of them patching is pretty low. I will say they are juicy targets to turn into botnets – hoa Aug 30 '14 at 13:47
  • It's maybe your neighbor which hide his own address by spoofing chinese IP address. – F. Hauri - Give Up GitHub Aug 30 '14 at 20:40
  • 2
    @F.Hauri Spoofing the IP address is not going to work in case of SSH brute force or any other attack requiring a three way handshake. If the IP is spoofed, the SSH client won't be able to interact with the server. The attackers might be using an Exit Node in China using TOR or would have purchased a cheap VPS server there that is why majority of the attacking IPs are Chinese. However, IP spoofing won't work in SSH brute force. – void_in Aug 31 '14 at 00:04
  • 1
    Because authorities in China don't care about attackers situated in China attacking random targets elsewhere in the world. At all. Especially if the attack authors are part of Chinese criminal organizations the government itself sometimes uses as proxies to go after Western targets. There is exactly zero cooperation on bringing hackers to justice between China and almost all of the rest of the world. And, unfortunately, no obvious signs of that changing anytime soon. – mostlyinformed Jan 05 '16 at 14:20

2 Answers2

7

First, China has lots of people. It has more than 4 times as many inhabitants than USA. Then lots of them are young and well educated and smart enough to do hacking. And while I'm sure that China has tough laws against hacking of chinese infrastructure, it might even profit from hacking outside infrastructure. This way of thinking is not specifically chinese, just remember privateers or recent hacks against brazil by anonymous with the help of the FBI.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
-3

I have implemented fail2ban and it does protect me well from SSH attacks. I increased all of the defaults to make it tighter and block longer and with only one glitch (not proved that it was a fail2ban issue), all works well. but there are so many Chinese attempts that you can not consider this just casual, but more organised.
My belief is that China has some restricted policies on what its public can view. In order to isolate the allowed sites from the not allowed sites, I suspect there is some investigation that needs to be done. Getting root access would give them opportunity to search dbs and investigate. I suspect this has something to do with the China attention.

matthew weiss
  • 1