An Analysis of the DHEat DoS Against SSH in Cloud Environments
Joseph S. Testa II
jtesta at positronsecurity.com
Fri Jun 28 03:51:46 AEST 2024
I'd like to withdraw the last set of metrics I reported. I couldn't
reproduce some of them, and I suspect I made a mistake during testing.
Being more careful this time, I set up another fully updated Ubuntu
24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all
defaults unchanged.
When running using "ssh-audit.py --conn-rate-test=16 target_host", the
system idle time averaged over 60 seconds was 50%. The
/var/log/auth.log file grew 73MB in this time (nearly 400,000 lines
were messages produced by the new PerSourcePenalties logging in
sshd.c:627).
Next, I modified the logging in sshd.c:627 to always use
SYSLOG_LEVEL_DEBUG1 instead of SYSLOG_LEVEL_INFO. Re-running the above
test resulted in 73% average idle time and 8KB of log growth.
Lastly, from an m7i.2xlarge source EC2 instance in AWS, I targeted an
m7i.large instance using "ssh-audit --dheat=4:diffie-hellman-group18-
sha512:4 target_host". In my original research article, this caused
the average idle time to drop to 0.01%; against openssh-SNAP-
20240628.tar.gz with the log level in sshd.c:627 changed to DEBUG1, the
idle time was observed to be 84%.
My conclusion is that the default user configuration of
PerSourcePenalties sufficiently stops the DHEat DoS. However, the
logging implementation should be modified to prevent disk resource
exhaustion. Aside from possibly changing the log level to VERBOSE (or
DEBUG1?), perhaps the level can remain at INFO and message aggregation
can be added (e.g.: the Linux kernel sometimes logs a single line
followed by "(the above message was repeated 2168 times)").
- Joe
More information about the openssh-unix-dev
mailing list