I suspect the distributed cracking will move to the same pattern as the SMTP/pop3 brute force guys did and use one IP per x+1 seconds where x=the ssh penalty window. We have seen this on our customer facing smtp server where we have hundreds of remote compromised IPs trying each one password per 30-60min. Still, I welcome this change as there are enough single prick attackers out there where this will help cut down on the size of the logs to process / digest.
Actually this already is the SOTA of cracking. My honeypot can see several different IP is brute forcing concurrently, and they seems irrelevant. But once you let one of them login, it will quit immediately and all those IPs will quiet after ~15sec. Then one of those IPs will login again to deploy miner.
reminds me of using the old MIRROR target in iptables back in the day. before it was removed because its ridiculous. we used to watch script kiddies trying to brute force their own hosts but even then we knew it was ripe for abuse.
Probably for the best, since it sounds like that could be used for DDoS amplification and/or reflection.
For example, if an attack could spoof traffic to get two different reflectors hall-of-mirror-ing each other, or using a botnet that spoofs traffic to get one collection of dupes to slam a single victim in response, etc.
How would you spoof multiple valid packets in a TCP-based protocol requiring a sequence of interactions when you can't receive any of the ACKs (because they'll be sent to not-your-IP)?
This is already the practice in my experience. Fail2ban has become completely useless for ssh about 5~6 years ago. Always just one to three tries per IP address.
So looks like this openssh feature is a decade late.
