Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)

[Kurt Seifried <kseifrie () redhat com>]

On 01/02/2012 04:33 PM, Nico Golde wrote:
> Hi,
> * Kurt Seifried <kseifrie () redhat com> [2012-01-02 04:56]:
> [...] 
>
> > The rest of the solutions do not lend themselves to this problem or would 
> > require significant changes to the OpenSSH protocol/client/server which is a 
> > bad bad idea.
> >
> > Anything we do to address this issue should be extremely simple and 
> > conservative, the OpenSSH server and client are very stable and robust 
> > pieces of code, any modifications to them make me nervous. 
> >
> > I suspect the simplest and more effective solution might be some form of 
> > progressive timeout for IP's that fail to authenticate (drop the connection 
> > entry silently and ignore them in favor of real clients). 
> >
> > Long term I'd like to see more work on hash cash type solutions, being able 
> > to arbitrarily set or have a reactive system that requires increased work on 
> > the client end to prove they are a legitimate client would help with this 
> > whole DoS/DDoS class of problem to some degree.
> See above, it would be really nice to see if there is a project which already 
> does that.
hashcash.org has implementations in multiple languages (including a bash
script), it uses partial SHA-1 collisions, so easy to do for server, not
sure if you can increase/decrease workload on the fly incrementally
(i.e. require 16, 17, 18 bit partial matches if the server starts
getting loaded).

> Kind regards
> Nico
-- 

-- Kurt Seifried / Red Hat Security Response Team