Bug 3211

Summary: DDoS attack by using ssh-keyscan
Product: Portable OpenSSH Reporter: kircher <kircherlike>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: security CC: dtucker
Priority: P5    
Version: 8.3p1   
Hardware: Other   
OS: Linux   

Description kircher 2020-09-09 19:14:31 AEST 

    


    


      



        
          Comment 1
        

        
          kircher

        

        
        

        
          2020-09-09 23:16:06 AEST
        

      






As we know, sshd provides the MaxStartups limit to restrict the number of connections established at the same time. The ssh-keyscan command is also used to establish connections. Multiple connections are established based on the number of host keys on the server.

Simply put, as long as the ddos attacker executes such a script:

for((i=0;i<1;));do ssh-keyscan [IP address of the attacked host] >/dev/null 2>&1  & done

The CPU usage of the attacked host becomes too high, and it is difficult to accept normal SSH connection requests.

    


    


      



        
          Comment 2
        

        
          kircher

        

        
        

        
          2020-09-11 11:44:54 AEST
        

      






To solve this problem, add the anti-DDoS function to the sshd implementation mechanism.

For example, you are advised to add the SshDdosInterval and SshDdosCountMax parameters to the sshd configuration file. The value of this parameter is that for the client with the same identifier (which can be the IP address, MAC address, or SSH hostkey), the number of successful connections within the period specified by SshDdosInterval cannot exceed the value of SshDdosCountMax.

Adding the Ddos mechanism behind the Maxstartups mechanism is an effective solution.

These are two names that match the ssh naming rules, aren't they?

    


    


      



        
          Comment 3
        

        
          Darren Tucker

        

        
        

        
          2021-03-12 15:02:15 AEDT
        

      






In 8.5 we added PerSourceMaxStartups and PerSourceNetBlockSize which allow limiting startups by source address, optionally grouping nearby addresses into blocks:

     PerSourceMaxStartups
             Specifies the number of unauthenticated connections allowed from
             a given source address, or "none" if there is no limit.  This
             limit is applied in addition to MaxStartups, whichever is lower.
             The default is none.

     PerSourceNetBlockSize
             Specifies the number of bits of source address that are grouped
             together for the purposes of applying PerSourceMaxStartups
             limits.  Values for IPv4 and optionally IPv6 may be specified,
             separated by a colon.  The default is 32:128, which means each
             address is considered individually.

If you set PerSourceMaxStartups to something lower that MaxStartups it will prevent any single address (or block of address if you set PerSourceNetBlockSize) from tying up all of the startups.