Re: Possible Denial of Service: SSH

[jimd () starshine org (Jim Dennis)]

> On Tue, 17 Dec 1996, Sean B. Hamor wrote:
>
> > It seems that when my Windows 95 laptop establishes a connection to my Linux
> > box via SSH and the PPP connection drops, all processes that were being
> > controlled by the inbound SSH connection get zombied out.  If I establish a
> > connection and exit/drop the SSH connection, the Linux box recovers fine.
> > This problem only occurs when the PPP connection drops.
>
> > Anyway...I'd be interested in seeing if anyone else has had this problem (or
> > if it's a known bug).  The attack failed against a Linux 1.2.13 box running
> > sshd 1.2.17.
>
> We have the same thing happening here. We have some users who use
> some flaky TV cable connection to run ppp to their university and
> it often disconnects. We then end up with sshd zombies as well.
> however, killing off the main sshd will also get rid of the zombies
> for you (Dont try this from remote, if your logged in using ssh :)
>
> Paul Wouters


        In general any zombie can be killed by killing off its
        parent.  The reason zombies exist is to provide the kernel
        with a place to store a program's exit status until the
        parent requests it (issues a wait() call).

        When a parent dies (or exits) then all of it's children
        (now "orphans") are adopted by init (process #1).  'init'
        regularly checks the status of all its children (adopted
        or otherwise) and wait()'s on any zombies (discarding
        any exit status -- since there's no parent to care how the
        child died).


        Obviously if you kill the process that is responsible for
        your communications with a server (like sshd or telnetd)
        you'd kill your own connection).

        However, you should be able to do any of the following:

        # (sleep 60; kill -9 $zombies_parent ) & exit

        # at $NOW_plus_a_minute << FOO
        >shutdown -r now
        >FOO
        # exit

        # shutdown -r 60 & exit

        or any reasonable variation of these.

        Recently my wife (a system administrator and webmistress)
        was told that the company was going to shutdown all
        power to the building at Midnight on a Friday (Saturday
        morning actually).  Naturally she didn't want to go
        in then.  So she did the natural thing:

                echo 'shutdown -h now' | at 23:50

        ... on each of the boxes she handles.

        (only bug was the Netscape Commerce Server -- which requires
        an administrative password to start -- similar to your
        PGP keyphrase and for similar reasons.  She solved that by
        ssh'ing in from home, chaining through another ssh to that
        box, and starting the https)