Date: Tue, 3 Jan 2012 05:56:57 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) On Tue, Jan 03, 2012 at 12:33:01AM +0100, Nico Golde wrote: > P.S. if anyone has a clue on why that script still works with dropbear, even > though it already seems to implement per-ip based connection counting... Does it still work? I was not able to reproduce that. I built Dropbear 2011.54, generated an RSA host key with "./dropbearkey -t rsa -f dropbear_rsa_host_key" and started the service with "./dropbear -r dropbear_rsa_host_key -p 2222". Then I ran your DoS program with "0:2222 10" on the command-line. At first, it detected that Dropbear would only allow 5 connections from the source address (indeed, Dropbear's MAX_UNAUTH_PER_IP defaults to 5), and I was no longer able to get the SSH version banner with "nc -v 0 2222" (the connection would be closed immediately). However, after a while I started being able to connect with "nc" again, and Dropbear's log records only showed the DoS program making 4 connections at a time, not 5 - I don't know why. So I hacked the program to make 6 connections at a time instead (changed get_max_startups() to just "return 6;"). Then the DoS for connections from 127.0.0.1 became reliable, so I was able to reasonably test connections from other source IP addresses, which I did. "nc -s 127.0.0.2 -v 0 2222" worked flawlessly (multiple times with no issue), reporting "SSH-2.0-dropbear_2011.54". Thus, the per-source limit appeared to work as it should have. Where's the problem? (Of course, with the defaults of MAX_UNAUTH_CLIENTS 30 and MAX_UNAUTH_PER_IP 5 it'd only take abusive connections from 6 IP addresses to DoS the service, but that's expected.) Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ