[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dropbear SSH server Denial of Service

To: Matt Johnston <matt@xxxxxxxxxx>
Subject: Re: Dropbear SSH server Denial of Service
From: Damien Miller <djm@xxxxxxxxxxx>
Date: Sat, 11 Mar 2006 13:51:47 +1100 (EST)

On Fri, 10 Mar 2006, Matt Johnston wrote:

> Dropbear 0.48 mitigates this issue by having a per-IP limit
> as well as a global limit - this will at least prevent an
> IP-deprived attacker from denying service.
> 
> It's worth noting that various other network services (such
> as netkit-inetd and OpenSSH) have the same design issues, at
> least in default configurations.

OpenSSH has had connection-flood DoS mitigation since 2000, in the 
form of random early drop of connections so legitimate users have a
probabalistic change of getting in. See the "MaxStartups" documentation
in sshd_config(5)

-d

References:
- Dropbear SSH server Denial of Service
  - From: Pablo Fernandez
- Re: Dropbear SSH server Denial of Service
  - From: Matt Johnston

Prev by Date: [ GLSA 200603-07 ] flex: Potential insecure code generation
Next by Date: XSS in vCard
Previous by thread: Re: Dropbear SSH server Denial of Service
Next by thread: Re: Dropbear SSH server Denial of Service
Index(es):
- Date
- Thread