Time to add exponential backoff for SSH interactive login failures?

[Damien Miller]

Jay Libove wrote:
> With the growing number of username/password pairs being tried by the low
> level SSH attack which we've all seen in the past few months (I am now
> seeing some series of attempted logins through SSH which try fifty-plus
> different IDs, some with more than one password; I've seen 60 hits on
> "root" in a row), I propose that it is time to add exponential backoff for
> SSH interactive login failures.

If you raise the cost of subsequent password attempts much, then it will
be cheaper for an attacker to make multiple connections instead.

>From the victim's point of view, multiple connections are far more
DoS-like than multiple brute-force attempts: each new connection
requires a TCP PCB slot (persisting well after the connection is gone)
and a key-exchange (including an expensive GEX) in addition to all
the other accept-time processing, whereas multiple auth attempts are
usually just additional crypt() calls.

Maybe something like this would be useful in addition to a client-puzzle
(e.g. finding a truncated hash collision before auth), but I think it
has the potential to alter attacker behaviour in a way that is inimical
to server operators.

I am surprised that these trivial password guessing worms are working at
all - it is amazing that people have learned so little in the last 20
years.

-d