oss-sec mailing list archives
Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)
From: Solar Designer <solar () openwall com>
Date: Tue, 3 Jan 2012 05:56:57 +0400
On Tue, Jan 03, 2012 at 12:33:01AM +0100, Nico Golde wrote:
P.S. if anyone has a clue on why that script still works with dropbear, even though it already seems to implement per-ip based connection counting...
Does it still work? I was not able to reproduce that. I built Dropbear 2011.54, generated an RSA host key with "./dropbearkey -t rsa -f dropbear_rsa_host_key" and started the service with "./dropbear -r dropbear_rsa_host_key -p 2222". Then I ran your DoS program with "0:2222 10" on the command-line. At first, it detected that Dropbear would only allow 5 connections from the source address (indeed, Dropbear's MAX_UNAUTH_PER_IP defaults to 5), and I was no longer able to get the SSH version banner with "nc -v 0 2222" (the connection would be closed immediately). However, after a while I started being able to connect with "nc" again, and Dropbear's log records only showed the DoS program making 4 connections at a time, not 5 - I don't know why. So I hacked the program to make 6 connections at a time instead (changed get_max_startups() to just "return 6;"). Then the DoS for connections from 127.0.0.1 became reliable, so I was able to reasonably test connections from other source IP addresses, which I did. "nc -s 127.0.0.2 -v 0 2222" worked flawlessly (multiple times with no issue), reporting "SSH-2.0-dropbear_2011.54". Thus, the per-source limit appeared to work as it should have. Where's the problem? (Of course, with the defaults of MAX_UNAUTH_CLIENTS 30 and MAX_UNAUTH_PER_IP 5 it'd only take abusive connections from 6 IP addresses to DoS the service, but that's expected.) Alexander
Current thread:
- speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Mike O'Connor (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Eitan Adler (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Mike O'Connor (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 11)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) David Hicks (Jan 05)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) The Fungi (Jan 05)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 05)