https://bugzilla.mindrot.org/show_bug.cgi?id=3414
Bug ID: 3414
Summary: Out Of Memory attacks over SSH connections
Product: Portable OpenSSH
Version: 8.9p1
Hardware: All
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-b...@mindrot.org
Reporter: kircherl...@outlook.com
If a common user wants to kill a privileged user's process on the
server, he is likely to choose this attack mode.
The attack principle is simple, as long as common users have more
memory resources than the server and keep creating SSH connections.
Although sshd has MaxStartups, PerSourceMaxStartups, and
PerSourceNetBlockSize limits on the number of concurrent connections
established by clients, sshd does not limit the total number of
connections established or disconnect some connections when there are a
large number of connections.
As an attacker, we simply run the following shell command:
for((i=0;i<1;));do sleep 1; ssh [ip address of server] & done
It doesn't take too long to trigger the kernel's OOM, similar to the
following.
[1033097.096765] sshd invoked oom-killer:
gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0,
oom_score_adj=0
Tested with 4.19 kernels on x86 machines, About 2500 ssh connections
can use up 4GB of memory.
If the above command is used, this may not take about 1 hour..
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
