[lug] DOS ssh attacks
horlenkarl at yahoo.com
Sat Jan 10 16:27:20 MST 2009
> consider what happens when someone tries to do a single ssh
> password based login:
> the packet comes across the wire, iptables/firewall does
> processing, sshd forks a process to do the key handshake,
> /bin/login is invoked, the password is tested.
> by stopping it at the firewall, there's a lot of extra
> processing that doesn't have to happen, so the load
> isn't as bad.
i understand that.. thanks for the details though.
> However, with a distributed DOS attack, you can certainly
> overwhelm the bandwidth of the server/firewall's
> connection. It is certainly possible to completely saturate
> the pipe of the inbound connection so that no other
> connections can be made.
that's what i thought.. that's a classic DOS attack.
> In situations like this, you get
> your ISP on the horn to see what types of filtering they can
> do (and they get their ISP on the phone too).
i guess this kind of gets back to the original question. depending on how big the pipeline is at any given entry / router point to and within your ISP, i would imagine a DOS attack on only one server behind an ISP firewall can potentially impact every server / site behind any one of the firewalls in the path that leads to the ISP.
not even sure how an ISP fixes that?
> Your question reminds me of an article I read a while back.
> I think this is it (or it contains enough of the same
> info): http://www.press.umich.edu/pdf/9780472031955-ch24.pdf
thanks for the link and info. i'll give it a look.
More information about the LUG