Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)

[Solar Designer <solar () openwall com>]

On Tue, Jan 03, 2012 at 12:33:01AM +0100, Nico Golde wrote:
> P.S. if anyone has a clue on why that script still works with dropbear, even 
> though it already seems to implement per-ip based connection counting...

Does it still work?  I was not able to reproduce that.  I built Dropbear
2011.54, generated an RSA host key with "./dropbearkey -t rsa -f
dropbear_rsa_host_key" and started the service with "./dropbear -r
dropbear_rsa_host_key -p 2222".  Then I ran your DoS program with
"0:2222 10" on the command-line.  At first, it detected that Dropbear
would only allow 5 connections from the source address (indeed,
Dropbear's MAX_UNAUTH_PER_IP defaults to 5), and I was no longer able to
get the SSH version banner with "nc -v 0 2222" (the connection would be
closed immediately).  However, after a while I started being able to
connect with "nc" again, and Dropbear's log records only showed the DoS
program making 4 connections at a time, not 5 - I don't know why.  So I
hacked the program to make 6 connections at a time instead (changed
get_max_startups() to just "return 6;").  Then the DoS for connections
from 127.0.0.1 became reliable, so I was able to reasonably test
connections from other source IP addresses, which I did.  "nc -s
127.0.0.2 -v 0 2222" worked flawlessly (multiple times with no issue),
reporting "SSH-2.0-dropbear_2011.54".  Thus, the per-source limit
appeared to work as it should have.  Where's the problem?

(Of course, with the defaults of MAX_UNAUTH_CLIENTS 30 and
MAX_UNAUTH_PER_IP 5 it'd only take abusive connections from 6 IP
addresses to DoS the service, but that's expected.)

Alexander