Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Jan 2018 10:25:23 -0500
From:      Mike Tancsa <>
Subject:   =?UTF-8?Q?Re:_Meltdown_=e2=80=93_Spectre?=
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1/9/2018 9:38 AM, James B. Byrne via freebsd-questions wrote:
> I have read some accounts which seem to imply that the rate of ssh
> attacks measurably increased following the announcement of these two
> flaws.  The implication being that there was some cause and effect
> relationship.  I cannot fathom what this could be.

They are up, but I suspect its the normal uptick post holidays. Here is
a pretty well sampled view of scanning

I seem to recall similar trends in previous years.

> if only authorized software is permitted to run therein, then how much
> of a threat does this development pose to such?

Well, its hard to say and I guess it depends who the attackers are and
what their goals are. If its opportunistic bots just hammering away in
brute force at your perimeter, its one thing. If its someone trying to
figure out out to get access to your internal network thats another.
Breaches of the later I think will often be chained.  e.g. use a broken
web facing app to allow the attacker to upload and execution of
arbitrary code. That code then can work on exploiting other, local
vulnerabilities including meltdown/spectre.  In that sense, its another
(serious) local priv escalation issue to worry about.

> It seems to me that public 'cloud' environments is where this sort of
> stuff would find its most vulnerable targets.  Private data systems
> are no more likely to succumb to attacks along this vector than to any
> other routinely available rootkit.  Is that a fair assessment?

I think what Spectre and Meltdown uniquely bring to the table are ways
to attack neighbouring VMs that were previously thought to be relatively
safe. A local root kit was a local root kit.  With Meltdown, all the VM
instances are only as safe as the weakest link on that hardware. There
have been bugs in the past that allowed this type of attack, but those
were relatively rare and hard to exploit (IIRC).


Mike Tancsa, tel +1 519 651 3400
Sentex Communications,
Providing Internet services since 1994
Cambridge, Ontario Canada

Want to link to this message? Use this URL: <>