CAUDIT: Continuous Auditing of SSH-Servers To Mitigate Brute-Force Attacks

Phuong M. Cao, Yuming Wu, Subho S. Banerjee, Justin Azoff, Alex Withers, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer

NSDI 2019


This paper describes CAUDIT, an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. CAUDIT is a fully automated system to enable the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. Its key features includes: 1) a honeypot for attracting SSH-based attacks over a /16 IP address range and extracting key-metadata (e.g., source IP, password, SSH-client version, or -key) from these attacks; 2) executing audits on the live production network by replaying attack attempts recorded by the honeypot; 3) using the IP addresses recorded by the honeypot to block SSH attack attempts at the network border using a Black Hole Router (BHR) while significantly reducing the load on NCSA’s security monitoring system; and 4) informing peer sites of attack attempts in real-time to ensure containment of coordinated attacks. The system is composed of existing techniques with custom-built components, and its novelty is to execute at a scale that has not been validated earlier (thousands of nodes and tens of millions of attack attempts per day). Experience over 463 days shows that CAUDIT successfully blocks an average of 57 million attack attempts on a daily basis using the proposed BHR. This represents a 66× reduction in the number of SSH attempts compared to the daily average and has reduced 78% of the traffic to the NCSA internal network-security-monitoring infrastructure.

In the News


@inproceedings {Cao2019,
  author = {Phuong M. Cao and Yuming Wu and Subho S. Banerjee and Justin Azoff and Alex Withers and Zbigniew T. Kalbarczyk and Ravishankar K. Iyer},
  title = {{CAUDIT}: Continuous Auditing of {SSH} Servers To Mitigate Brute-Force Attacks},
  booktitle = {16th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 19)},
  year = {2019},
  isbn = {978-1-931971-49-2},
  address = {Boston, MA},
  pages = {667--682},
  url = {},
  publisher = {{USENIX} Association},

Related Projects

  • Powered by Hugo
  • Last updated 10/21/2021
  • Feed