SSH: DDoS mitigation

MaxStartups
Specifies the maximum number of concurrent unauthenticated
connections to the SSH daemon. Additional connections will
be dropped until authentication succeeds or the
LoginGraceTime expires for a connection. The default is
10:30:100.
Alternatively, random early drop can be enabled by
specifying the three colon separated values start:rate:full
(e.g. "10:30:60"). sshd(8) will refuse connection attempts
with a probability of rate/100 (30%) if there are currently
start (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused
if the number of unauthenticated connections reaches full
(60).
  1. read the source code (if you love C)
  2. ask on StackOverflow
  3. test it

Test MaxStartups

  1. First, have a running SSH server with root access. In my example, the SSH server is 10.10.62.201.
yes 10.10.62.201 | head -n 10 > hostfile10
yes 10.10.62.201 | head -n 30 > hostfile30
yes 10.10.62.201 | head -n 60 > hostfile60
yes 10.10.62.201 | head -n 100 > hostfile100
pssh -i -h hostfile10 -l root --askpass whoami > output10.1
pssh -i -h hostfile30 -l root --askpass whoami > output30.1
pssh -i -h hostfile60 -l root --askpass whoami > output60.1
pssh -i -h hostfile100 -l root --askpass whoami > output100.1
╔═════════════╦═════════╦═════════╦══════════════╗
║ Connections ║ Success ║ Failure ║ Failure Rate ║
╠═════════════╬═════════╬═════════╬══════════════╣
║ 10 ║ 10 ║ 0 ║ 0% ║
║ 30 ║ 26 ║ 4 ║ 13% ║
║ 60 ║ 48 ║ 12 ║ 20% ║
║ 100 ║ 78 ║ 22 ║ 22% ║
╚═════════════╩═════════╩═════════╩══════════════╝
╔═════════════╦═════════╦═════════╦══════════════╗
║ Connections ║ Success ║ Failure ║ Failure Rate ║
╠═════════════╬═════════╬═════════╬══════════════╣
║ 10 ║ 10 ║ 0 ║ 0% ║
║ 30 ║ 30 ║ 0 ║ 0% ║
║ 60 ║ 60 ║ 0 ║ 0% ║
║ 100 ║ 100 ║ 0 ║ 0% ║
╚═════════════╩═════════╩═════════╩══════════════╝
-p parallelism--par parallelismUse the given number as the maximum number of concurrent connections.

Re Test with Specific Parallel Sessions

Since the maximum number of hosts I specified is 100, I’ll add --par 100 in the pssh test.

╔═════════════╦═════════╦═════════╦══════════════╗
║ Connections ║ Success ║ Failure ║ Failure Rate ║
╠═════════════╬═════════╬═════════╬══════════════╣
║ 10 ║ 10 ║ 0 ║ 0% ║
║ 30 ║ 23 ║ 7 ║ 23% ║
║ 60 ║ 33 ║ 27 ║ 45% ║
║ 100 ║ 47 ║ 53 ║ 53% ║
╚═════════════╩═════════╩═════════╩══════════════╝
╔═════════════╦═════════╦═════════╦══════════════╗
║ Connections ║ Success ║ Failure ║ Failure Rate ║
╠═════════════╬═════════╬═════════╬══════════════╣
║ 10 ║ 10 ║ 0 ║ 0% ║
║ 30 ║ 30 ║ 0 ║ 0% ║
║ 60 ║ 60 ║ 0 ║ 0% ║
║ 100 ║ 60 ║ 40 ║ 40% ║
╚═════════════╩═════════╩═════════╩══════════════╝

Conclusion

  1. With MaxStartups 10:30:60 , it’ll mitigate some DoS attacks with early rejection.
  2. With MaxStartups 60 , it’ll cap concurrent requests at 60.
  3. pssh has a default batch value. You can define the batch size with--par <number>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store