Tcp listen limit.
Ben Lindstrom
mouring at etoh.eviladmin.org
Wed Jun 23 04:58:29 EST 2004
I would check out:
man sshd_config
[..]
MaxStartups
Specifies the maximum number of concurrent unauthenticated con-
nections to the sshd daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime ex-
pires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.,
"10:30:60"). sshd will refuse connection attempts with a proba-
bility of ``rate/100'' (30%) if there are currently ``start''
(10) unauthenticated connections. The probability increases lin-
early and all connection attempts are refused if the number of
unauthenticated connections reaches ``full'' (60).
And see if that leads you to your answer. I remember a listen backlog
modification, but I can't remember if it was 3.7.x or 3.8.x in which
that came into affect.
However, I suspect you are going to run into this before the backlog on
3.7.x
- Ben
On Tue, 22 Jun 2004, Fabio Yasusi Yamamoto wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks.
>
> Please, someone confirm if i'm right. if i'm wrong, please forgive-me.
>
> -
> --------------------------------------------------------------------------------------------------------------
> I've developed a little tool to stress test tcp connections.( Sending
> syn and answer ack-syn ). that simuates a real tcp connection. (
> http://www.hostname.org/fake_connect )
>
> And i notice that severals programs have a little tcp ( listen
> backlog? ) limit.
>
> One of these program was OpenSSH. With this i can cause a temporary
> DoS on SSHd preventing any user to log-on. ( sometimes the real
> connection is closed , somethimes it does't response at all ( there
> is no SYN-ACK ).
>
> My target plataform was LINUX and FreeBSD.
>
> - -
> Here is my question:
> ~ It is possible in the configuration, to increase the connection
> limit / listen backlog?
> ~ Why it is not by default?
> - -
>
> - -----------------------------------------
> Before:
> - -----------------------------------------
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> Connected to 10.30.0.1.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_3.7.1p2
>
> After
> - -----------------------------------------
>
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> Connected to 10.30.0.1.
> Escape character is '^]'.
> Connection closed by foreign host.
>
>
> On a massive stress:
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> - -----------------------------------------
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFA2HyiJvNzrIPyS/wRAr3aAJ4kQVkWfuZCTdI7AZGX5obKlRcUPgCeIARt
> p1Dag/O05RRwi84kCte+u/c=
> =mvK3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list