From: "curby ." <curby.public@gmail.com>
To: netfilter@lists.netfilter.org
Cc: sfrost@snowman.net
Subject: Re: SSH Brute force attacks - Script version 1.0
Date: Mon, 27 Jun 2005 09:53:01 -0600 [thread overview]
Message-ID: <5d2f379105062708534de71258@mail.gmail.com> (raw)
In-Reply-To: <000c01c57af0$c58cb5c0$4206a8c0@loki>
On 6/27/05, Marius Mertens <marius.mertens@gmx.de> wrote:
> If you are afraid of somebody trying to DOS you, the recent match with the
> added TTL check might be an even better choice.
I've been wondering about recent's TTL check and its ability to
prevent or even reduce DOSing.
To test if the TTL option is used, the attacker can send regular
(nonspoofed) ssh requests until they start becoming unresponsive (call
this number n), then try sending another request with a different TTL.
If that request returns, TTL match is being used so simply send n-1
requests with different TTLs and the spoofed address. Unless the
route from the attacker to the sshd is longer than the route from the
spoofed client IP to the sshd and the client uses a TTL of 255 (or
something similarly high), the legitimate client will still be DOSed.
Knowledge of the client system's OS or TCP stack is also reasonably
easy to acquire, and can help narrow down the TTLs that need to be
sent. Or the attacker can be lazy and send 250 or so SYN packets with
different TTLs and the spoofed IP.
In short, if an attacker know's you're using recent to track ssh
requests, and is not so clueless that he doesn't know about the TTL
option to recent, you're dead whether or not you use the TTL option.
On a related note, I really hope ISPs are doing some egress filtering
to prevent these packets with source IPs not on the expected subnet
from getting out. I wonder how many do...
next prev parent reply other threads:[~2005-06-27 15:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-25 18:58 SSH Brute force attacks - Script version 1.0 curby .
2005-06-25 23:54 ` Marius Mertens
2005-06-26 20:46 ` Jan Engelhardt
2005-06-27 8:18 ` Marius Mertens
2005-06-27 15:53 ` curby . [this message]
2005-06-27 16:09 ` Stephen Frost
2005-06-27 6:24 ` curby .
-- strict thread matches above, loose matches on Subject: below --
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41 ` Steven M Campbell
2005-07-26 6:18 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5d2f379105062708534de71258@mail.gmail.com \
--to=curby.public@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=sfrost@snowman.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.