Hello,
i have a question regarding SCTP support of OpenSSH. (I have
searched the list, and it seems to show up periodically every two
years, and since it's that time again i dare to ask...)
It can't be described better than what i've placed in a bug report
yesterday, so please let me (mostly) copy & paste that:
Hello.
I don't know how you do it, i never managed a(n exposed) server
until January and now [.] i think what i have to face are TCP
RST attacks on SSH connections, leading to "connection reset"s
["connection closed" on client side in fact] (of course).
My first reaction was something like "go UDP" but all
i effectively need is SSH, so OpenVPN is much to fully blown for
a bit of scp/ssh/git over ssh, and mosh (or a quick'n dirty shot
with new OpenSSL and DTLS, plus pty plus sh) is a complete
disruption of the workflow. And IPSec is really, really no no
no.
Looking around a bit i found RFC 4953, "Defending TCP Against
Spoofing Attacks", and that mentions SCTP in a few places, e.g.,
"Other transport protocols, such as SCTP and DCCP, also have
limited antispoofing mechanisms" and "whereas others establish
per-connection identity based on exchanged nonces (e.g., SCTP)".
Now i knew there was a SCTP patch floating for OpenSSH years
ago, and it is indeed actively maintained until today and even
available in the OpenSSH that Gentoo packages.
I'm not at all a network expert so i don't know wether SCTP will
really helps against the particular attack i'm facing, but it
sounds as if it would address some problems in this area, and so
i'm kindly asking for inclusion of that actively maintained
patch in place-your-favourite-OS(-distribution).
I've downloaded the patch from [1], the OpenSSH bugzilla entries
are [2] and [3]. Note that the patch ([1]) needs itself a patch
for using SCTP via getopt aka command line (new -z option).
[1]
http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/openssh-7.2_p1-sctp.patch.xz
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1604
[3] https://bugzilla.mindrot.org/show_bug.cgi?id=2016
Probably an expert can help answering the question wether SCTP
would prevent TCP reset attacks (i guess what would be needed
would be real confidence in mac/address/port of source).
And if so, can't it be included in the portable version of
OpenSSH? The initial comments of Markus Friedl and Darren Tucker
didn't sound all that bad, imho, and the patch is actively
maintained for many years.
Thanks, and ciao,
--steffen