Vulnerability Development mailing list archives

Re: Possible OpenSSH DoS Attack

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Tue, 11 Dec 2001 12:41:12 -0500 (EST)

On Tue, 11 Dec 2001, Robert van der Meulen wrote:

Do you get this problem both when running sshd from inetd and standalone?


the resource exhaustion attacks occur both standalone and from some 'super
server', ie inetd.

Opening up a big number of connections to the server starves out the
number of available sockets, disallowing new connects. I can't think
of an easy way to solve this, without using an external measure (such
as a combination of --limit and --limit-burst iptables rules on
linux).


alternatively you can use xinetd, which has a maximum connections
directive, and also a "max from any one IP" directive. both of those help
stave off resource exhaustion attacks by ssh.

http://security-archive.merton.ox.ac.uk/bugtraq-199909/0207.html

openssh committed a fix for this before we even noted it widely, and a
friend even fix a sigchild problem (craig copi, see ChangeLog in
OpenSSH-portable) way back in 1999. i dont think Ssh.com ever did a fix
for SSH1 daemons, citing it was depracated ....

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Current thread:

Possible OpenSSH DoS Attack Pedro Inacio (Dec 10)
- Re: Possible OpenSSH DoS Attack Josha Bronson (Dec 10)
- Re: Possible OpenSSH DoS Attack Robert van der Meulen (Dec 11)
  - Re: Possible OpenSSH DoS Attack Jose Nazario (Dec 11)
- Re: Possible OpenSSH DoS Attack Markus Friedl (Dec 11)