If a common user wants to kill a privileged user's process on the server, he is likely to choose this attack mode.

The attack principle is simple, as long as common users have more memory resources than the server and keep creating SSH connections.

Although sshd has MaxStartups, PerSourceMaxStartups, and PerSourceNetBlockSize limits on the number of concurrent connections established by clients, sshd does not limit the total number of connections established or disconnect some connections when there are a large number of connections.

As an attacker, we simply run the following shell command:
for((i=0;i<1;));do sleep 1; ssh [ip address of server] & done

It doesn't take too long to trigger the kernel's OOM, similar to the following.

[1033097.096765] sshd invoked oom-killer: gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0, oom_score_adj=0

Tested with 4.19 kernels on x86 machines, About 2500 ssh connections can use up 4GB of memory.

If the above command is used, this may not take about 1 hour..