Cristian Munteanu after successfully defending his thesis. Photo: MPI-INF/Bertram Somieski
On December 10, Cristian Munteanu successfully defended his thesis with the title "Getting to the root of SSH Compromises: A Multi-Dimensional Characterization of the SSH Threat Landscape". He joined MPI for Informatics and Saarland University as a doctoral candidate in March 2021. The thesis was supervised by Prof. Dr. Anja Feldmann, Director of the Internet Architecture department, and Prof. Dr. Georgios Smaragdakis, Professor for Cybersecurity at TU Delft. The doctoral degeree is awarded by Saarland University.
Abstract of the thesis:
The Internet has become a critical infrastructure, attracting a vast amount of activity, including malicious threats. The Secure Shell Protocol (SSH), the successor of Telnet–designed for secure machine-to-machine communication–is one of the most widely used protocols on the Internet. Due to its ubiquity, SSH has become a prime target for attackers. Over the years, SSH attacks have evolved, and their frequency has only increased. In this thesis, we investigate the nature of these attacks, including their origins, methods, and targets. We conduct a retrospective study and a longitudinal analysis using a large honeyfarm, as well as an active analysis to identify compromised SSH servers.
Through a global network of honeypots, we analyze approximately 750 million SSH sessions over a three-year period. The dataset, collected from 221 honeypots across 55 countries, reveals stark variations in activity–some honeypots observe millions of connections, while others record only a few thousand. We also analyze attacker behavior, uncovering a shift toward more exploratory attacks and increased reconnaissance efforts. Additionally, attackers increasingly leverage recently registered Autonomous Systems (ASes) to store and distribute malicious files. Our findings suggest that attackers are becoming more aware of honeypot presence, with some actively seeking to evade detection.
To extend our analysis, we propose a method to identify compromised SSH servers at scale. We exploit SSH's authentication behavior, where a challenge is only issued if a public key is installed. This approach neither grants access to compromised systems (unlike testing known attacker passwords), nor requires privileged access for auditing. Applying this methodology to a comprehensive Internet scan, we identify over 21,700 compromised systems across 1,649 ASes in 144 countries. These include critical infrastructure where attackers have installed at least one of 52 verified malicious SSH keys provided by a threat intelligence company.
Our investigation also uncovers insights into malicious campaigns such as the "fritzfrog" IoT botnet and threat actors like "teamtnt". Moreover, we collaborate with a national CSIRT and the Shadowserver Foundation to notify affected entities and facilitate remediation efforts.We run our measurements continuously and automatically share notifications.