[Bug 3211] DDoS attack by using ssh-keyscan

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Mar 12 15:02:15 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3211

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
In 8.5 we added PerSourceMaxStartups and PerSourceNetBlockSize which
allow limiting startups by source address, optionally grouping nearby
addresses into blocks:

     PerSourceMaxStartups
             Specifies the number of unauthenticated connections
allowed from
             a given source address, or "none" if there is no limit. 
This
             limit is applied in addition to MaxStartups, whichever is
lower.
             The default is none.

     PerSourceNetBlockSize
             Specifies the number of bits of source address that are
grouped
             together for the purposes of applying PerSourceMaxStartups
             limits.  Values for IPv4 and optionally IPv6 may be
specified,
             separated by a colon.  The default is 32:128, which means
each
             address is considered individually.

If you set PerSourceMaxStartups to something lower that MaxStartups it
will prevent any single address (or block of address if you set
PerSourceNetBlockSize) from tying up all of the startups.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list