An Analysis of the DHEat DoS Against SSH in Cloud Environments

Joseph S. Testa II jtesta at positronsecurity.com
Wed Jun 26 09:01:04 AEST 2024


On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote:
> I suppose in the next few days, I'll try reproducing my original
> steps
> with the new version and see what happens.

I managed to do some limited testing with a local VM, and the results
are... interesting.

I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated
Ubuntu Linux 24.04 LTS VM with 1 vCPU.  While leaving the default sshd
options unchanged, I was able to reduce idle time to 0.0% using "./ssh-
audit.py --dheat=16 target_host".

Next, I increased the vCPUs to 4.  The same ssh-audit command yielded
54% idle time (averaged over 60 seconds).  That's still a lot of strain
on the target, despite the fact that the logs claim that the
PerSourcePenalties noauth:1 restriction was being triggered.

After that, I tried simply flooding the target with open connections
without performing the DHEat attack ("ssh-audit.py --conn-rate-test=16
target_host").  This caused the 60-second average idle time to come all
the way down to 6%!  Additionally, I noticed that the systemd-journal
process was consuming about 50% CPU and /var/log/auth.log grew by
nearly 14MB.  Aside from CPU exhaustion, some may say that causing log
growth at a rate of 14MB/minute would constitute a disk space
exhaustion problem.

Seems like the new PerSourcePenalties implementation/default settings
still allow a denial-of-service by attackers with low-latency network
connections.

   - Joe




More information about the openssh-unix-dev mailing list