[lug] DOS ssh attacks

karl horlen horlenkarl at yahoo.com
Sat Jan 10 16:27:20 MST 2009

> consider what happens when someone tries to do a single ssh
> password based login:
> the packet comes across the wire, iptables/firewall does
> processing, sshd forks a process to do the key handshake,
> /bin/login is invoked, the password is tested.
> by stopping it at the firewall, there's a lot of extra
> processing that doesn't have to happen, so the load
> isn't as bad.

i understand that.. thanks for the details though.

> However, with a distributed DOS attack, you can certainly
> overwhelm the bandwidth of the server/firewall's
> connection.  It is certainly possible to completely saturate
> the pipe of the inbound connection so that no other
> connections can be made.  

that's what i thought..  that's a classic DOS attack.

> In situations like this, you get
> your ISP on the horn to see what types of filtering they can
> do (and they get their ISP on the phone too).

i guess this kind of gets back to the original question.  depending on how big the pipeline is at any given entry / router point to and within your ISP, i would imagine a DOS attack on only one server behind an ISP firewall can potentially impact every server / site behind any one of the firewalls in the path that leads to the ISP.

not even sure how an ISP fixes that?

> Your question reminds me of an article I read a while back.
>  I think this is it (or it contains enough of the same
> info): http://www.press.umich.edu/pdf/9780472031955-ch24.pdf

thanks for the link and info.  i'll give it a look.


More information about the LUG mailing list