Bug 3414

Summary: Out Of Memory attacks over SSH connections
Product: Portable OpenSSH Reporter: kircher <kircherlike>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: security    
Priority: P1    
Version: 8.9p1   
Hardware: All   
OS: Linux   

Description kircher 2022-03-24 19:37:46 AEDT 
If a common user wants to kill a privileged user's process on the server, he is likely to choose this attack mode.

The attack principle is simple, as long as common users have more memory resources than the server and keep creating SSH connections.

Although sshd has MaxStartups, PerSourceMaxStartups, and PerSourceNetBlockSize limits on the number of concurrent connections established by clients, sshd does not limit the total number of connections established or disconnect some connections when there are a large number of connections.

As an attacker, we simply run the following shell command:
for((i=0;i<1;));do sleep 1; ssh [ip address of server] & done

It doesn't take too long to trigger the kernel's OOM, similar to the following.

[1033097.096765] sshd invoked oom-killer: gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0, oom_score_adj=0

Tested with 4.19 kernels on x86 machines, About 2500 ssh connections can use up 4GB of memory.

If the above command is used, this may not take about 1 hour..
Comment 1 Damien Miller 2022-04-08 12:12:55 AEST 
closing bug resolved during openssh-9.0 release cycle