[lug] DOS ssh attacks

Hugh Brown hugh at math.byu.edu
Sat Jan 10 15:51:34 MST 2009

karl horlen wrote:
> since this topic is relevant,i'm wondering if someone can explain
> something to me about DOS attacks.
> most of those replying here are offering firewall solutions that
> block certain ips based on x condition.
> although this helps the problem somewhat, it doesn't really solve it
> does it?
> what i mean is that the firewall is still going to get bombarded by
> the *same* *number* of rogue requests meaning it still has to process
> them.  immediately dropping the packets seems like it would
> definitely decrease the load on the firewall, but if the firewall
> still has to process each packet, i would think you would still be
> able to clog a firewall to the point where whatever it's routing to
> behind it becomes unreachable or slow beyond use.
> the oddity being that if the firewall is a separate device from the
> target server it routes too, the server itself will not have any
> performance issues.  but since the firewall is the "gatekeeper" to
> get to the server, won't dos attacks on the firewall adversely impact
> whatever services you have running on the server regardless if the
> firewall drops said packets?  or am i barking up the wrong tree?
> in the case where a firewall lives on the target server, then it
> would seem like you're screwed regardless.
> i've always wanted to know this about DOS attacks.  it seems like
> they win regardless of what you do on a firewall.  most of us never
> get hit with them so we're lucky.
> thanks to anyone who can clarify for me or post a real life scenario
> with before and after server performance results.

consider what happens when someone tries to do a single ssh password 
based login:

the packet comes across the wire, iptables/firewall does processing, 
sshd forks a process to do the key handshake, /bin/login is invoked, the 
password is tested.

by stopping it at the firewall, there's a lot of extra processing that 
doesn't have to happen, so the load isn't as bad.

However, with a distributed DOS attack, you can certainly overwhelm the 
bandwidth of the server/firewall's connection.  It is certainly possible 
to completely saturate the pipe of the inbound connection so that no 
other connections can be made.  In situations like this, you get your 
ISP on the horn to see what types of filtering they can do (and they get 
their ISP on the phone too).

Your question reminds me of an article I read a while back.  I think 
this is it (or it contains enough of the same info): 


More information about the LUG mailing list