Tcp listen limit.

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Jun 23 04:58:29 EST 2004


I would check out:

man sshd_config
[..]
     MaxStartups
             Specifies the maximum number of concurrent unauthenticated con-
             nections to the sshd daemon.  Additional connections will be
             dropped until authentication succeeds or the LoginGraceTime ex-
             pires for a connection.  The default is 10.

             Alternatively, random early drop can be enabled by specifying the
             three colon separated values ``start:rate:full'' (e.g.,
             "10:30:60").  sshd will refuse connection attempts with a proba-
             bility of ``rate/100'' (30%) if there are currently ``start''
             (10) unauthenticated connections.  The probability increases lin-
             early and all connection attempts are refused if the number of
             unauthenticated connections reaches ``full'' (60).


And see if that leads you to your answer.  I remember a listen backlog
modification, but I can't remember if it was 3.7.x or 3.8.x in which
that came into affect.

However, I suspect you are going to run into this before the backlog on
3.7.x

- Ben

On Tue, 22 Jun 2004, Fabio Yasusi Yamamoto wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks.
>
> Please, someone confirm if i'm right. if i'm wrong, please forgive-me.
>
> -
> --------------------------------------------------------------------------------------------------------------
> I've developed a little tool to stress test tcp connections.( Sending
> syn and answer ack-syn ). that simuates a real tcp connection. (
> http://www.hostname.org/fake_connect  )
>
> And i notice that severals programs have a little tcp ( listen
> backlog? ) limit.
>
> One of these program was OpenSSH.  With this i can cause a temporary
> DoS on  SSHd preventing any user to log-on. ( sometimes the real
> connection is closed , somethimes it does't response  at all ( there
> is no SYN-ACK ).
>
> My target plataform was LINUX and FreeBSD.
>
> - -
> Here is my question:
> ~    It is possible in the configuration, to increase the connection
> limit / listen backlog?
> ~    Why it is not by default?
> - -
>
> - -----------------------------------------
> Before:
> - -----------------------------------------
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> Connected to 10.30.0.1.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_3.7.1p2
>
> After
> - -----------------------------------------
>
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> Connected to 10.30.0.1.
> Escape character is '^]'.
> Connection closed by foreign host.
>
>
> On a massive stress:
> bash-2.05b# telnet 10.30.0.1 22
> Trying 10.30.0.1...
> - -----------------------------------------
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFA2HyiJvNzrIPyS/wRAr3aAJ4kQVkWfuZCTdI7AZGX5obKlRcUPgCeIARt
> p1Dag/O05RRwi84kCte+u/c=
> =mvK3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list