RE: Login Attempt Limits
From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 05/06/05
- Previous message: Stephen Warren: "Re: Cannot SSH from outside LAN"
- Maybe in reply to: MPHMedia.Net: "Login Attempt Limits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 May 2005 16:47:21 -0600 To: "Price, Christopher" <Christopher.Price@encana.com>
That would not be trivial - if they're spoofing source IPs, they're not
going to see the response packets, since the responses will go to the
spoofed source. That would mean, the attackers have to
(a) guess the initial sequence numbers, just to get a TCP handshake all
the way opened. Difficult enough on most modern operating systems -
there are some interesting math papers that go largely over my head,
which suggest that it's wouldn't be altogether impossible - you might
get it to work once or twice a day if you're very clever.
(b) initiate a complete cryptographic handshake blindly - guess several
more random numbers, finally arriving at a valid session key, without
having been a party to any Diffie-Hellman negotiations.
A far easier DoS attack would involve simply exhausting your bandwidth
with a botnet.
Regards
Mark
> -----Original Message-----
> From: Price, Christopher
> Sent: May 5, 2005 13:13
> To: MPHMedia.Net; secureshell@securityfocus.com
> Subject: RE: Login Attempt Limits
>
>
> Your proposal could lead to a DoS attack designed to
> deny large ranges of IP addresses access to your SSHD service
> by using IP spoofing, no?
>
> -----Original Message-----
> From: MPHMedia.Net
> Sent: Thursday, May 05, 2005 8:53 AM
> To: secureshell@securityfocus.com
> Subject: Login Attempt Limits
...
> 1. When an IP has failed attempts for different usernames
> within a short
> period block that IP for some number of minutes. This would be done
> automatically using configuration file parameters. With this option I
> would block an IP for 30 minutes after three failed attempts with
> different usernames occuring under a minute.
>
> 2. Execute an IP block as above when there are 3 root user failures.
>
> 3. Execute an IP block as above when there are 5 same user failures.
>
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
- Previous message: Stephen Warren: "Re: Cannot SSH from outside LAN"
- Maybe in reply to: MPHMedia.Net: "Login Attempt Limits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
