openssh unix dev - Jun 2024 - An Analysis of the DHEat DoS Against SSH in Cloud Environments

On Wed, 2024-06-26 at 04:32 +0200, Thorsten Glaser
wrote:
> If they get under attack, they?d better do. And if you?re ignoring
> a known bottleneck, the results will probably not be very useful?
> besides, not everyone is systemd-infested.

The primary responsibility falls on system designers to choose
reasonable default settings.

On Wed, 26 Jun 2024, Joseph S. Testa II wrote:
> On Wed, 2024-06-26 at 04:32 +0200, Thorsten Glaser wrote:
> > If they get under attack, they?d better do. And if you?re ignoring
> > a known bottleneck, the results will probably not be very useful?
> > besides, not everyone is systemd-infested.
> 
> The primary responsibility falls on system designers to choose
> reasonable default settings.
give us a set of defaults that prevents extreme-case DoS while not
preventing legitimate traffic for busy servers and we'll adopt it.

On 6/26/24 7:56 AM, Joseph S. Testa II wrote:
> On Wed, 2024-06-26 at 04:32 +0200, Thorsten Glaser wrote:
>> If they get under attack, they?d better do. And if you?re ignoring
>> a known bottleneck, the results will probably not be very useful?
>> besides, not everyone is systemd-infested.
> 
> 
> The primary responsibility falls on system designers to choose
> reasonable default settings.
I think it's really important to get this right. The problem, from my 
perspective, is that a large number of people are going to installing 
9.8 via package updates. They're not going to look to closely at what 
has changed or what they might need to do differently. Sadly, this 
includes a lot of people that should know better. Just how it is though. 
If it wasn't that way we wouldn't need something to protect users 
against their own weak passwords.

I think this is a good idea. I'm just concerned about unforeseen impacts.