> Also take a note that there are no "known-compromised hosts"
What about hosts listed in RBLs? http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. It would be interesting to see if how much correlation there is between ssh brute forcing bots and the contents of the various lists. > because ANY IP can be forged. Its easy enough to forge a SYN, but to setup a session so you can make a password guessing attempt requires that you also get the packets back from the server, which is an order of magnitude more difficult. Ever since OSes have implemented well chosen initial sequence numbers, spoofing of TCP sessions has become very difficult.
