https://bugzilla.mindrot.org/show_bug.cgi?id=3211
Bug ID: 3211
Summary: A
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: kircherlike at outlook.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-09 09:16 UTC
[Bug 3211] DDoS attack by using ssh-keyscan
https://bugzilla.mindrot.org/show_bug.cgi?id=3211
kircher <kircherlike at outlook.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|A |DDoS attack by using
| |ssh-keyscan
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-09 13:16 UTC
[Bug 3211] DDoS attack by using ssh-keyscan
https://bugzilla.mindrot.org/show_bug.cgi?id=3211 --- Comment #1 from kircher <kircherlike at outlook.com> --- As we know, sshd provides the MaxStartups limit to restrict the number of connections established at the same time. The ssh-keyscan command is also used to establish connections. Multiple connections are established based on the number of host keys on the server. Simply put, as long as the ddos attacker executes such a script: for((i=0;i<1;));do ssh-keyscan [IP address of the attacked host]>/dev/null 2>&1 & doneThe CPU usage of the attacked host becomes too high, and it is difficult to accept normal SSH connection requests. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-11 01:44 UTC
[Bug 3211] DDoS attack by using ssh-keyscan
https://bugzilla.mindrot.org/show_bug.cgi?id=3211 --- Comment #2 from kircher <kircherlike at outlook.com> --- To solve this problem, add the anti-DDoS function to the sshd implementation mechanism. For example, you are advised to add the SshDdosInterval and SshDdosCountMax parameters to the sshd configuration file. The value of this parameter is that for the client with the same identifier (which can be the IP address, MAC address, or SSH hostkey), the number of successful connections within the period specified by SshDdosInterval cannot exceed the value of SshDdosCountMax. Adding the Ddos mechanism behind the Maxstartups mechanism is an effective solution. These are two names that match the ssh naming rules, aren't they? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-12 04:02 UTC
[Bug 3211] DDoS attack by using ssh-keyscan
https://bugzilla.mindrot.org/show_bug.cgi?id=3211
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
In 8.5 we added PerSourceMaxStartups and PerSourceNetBlockSize which
allow limiting startups by source address, optionally grouping nearby
addresses into blocks:
PerSourceMaxStartups
Specifies the number of unauthenticated connections
allowed from
a given source address, or "none" if there is no limit.
This
limit is applied in addition to MaxStartups, whichever is
lower.
The default is none.
PerSourceNetBlockSize
Specifies the number of bits of source address that are
grouped
together for the purposes of applying PerSourceMaxStartups
limits. Values for IPv4 and optionally IPv6 may be
specified,
separated by a colon. The default is 32:128, which means
each
address is considered individually.
If you set PerSourceMaxStartups to something lower that MaxStartups it
will prevent any single address (or block of address if you set
PerSourceNetBlockSize) from tying up all of the startups.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 07:29 UTC
[Bug 3211] DDoS attack by using ssh-keyscan
https://bugzilla.mindrot.org/show_bug.cgi?id=3211
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
CC| |djm at mindrot.org
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 3155] New: openssh support hostkey encrypt
- [Bug 3182] New: openssh-8.2 make ClientAliveCountMax=0 disable the connection
- [Bug 3200] New: Will future versions of openssh fix CVE-2020-15778?
- Strange messages in dmesg after DDoS-attack.
- DDOS problem from Bangkok, Thailand