[j-nsp] DOS attack?

Richard A Steenbergen ras at e-gerbil.net
Sun May 17 08:54:30 EDT 2009 

On Sun, May 17, 2009 at 02:19:56AM -0700, Robert Raszuk wrote:
> Hi Matthias,
> 
> > I wonder now, which is the event, that triggered this behavious? The
> > numer of ssh-logins at that time or this zbexpected EOF?
> 
> I would with good deal of assurance conclude that the cause were 
> ssh-login attack which apparently starved the poor box to it's memory 
> limits.
> 
> When even your kernel spins a panic message on the low of memory due to 
> such attack control plane can exhibit quite unexpected behavior. In my 
> opinion end-of-frame BGP message is just a consequence of this.
> 
> The advice would be to:
> 
> * open a case with jtac to find out why subsequent ssh-logins cause a 
> memory leak
> 
> * reduce to very max rate-limiting for the ssh logins

It's probably more likely that the box was always getting floods of SSH
connection attempts (because thats what happens to anything you leave on
the Internet with port 22 open), and the low memory condition was 
coincidental or 99% caused by something else. The openssh people would 
be shitting bricks if there was actually a memory leak from multiple 
connection attempts. Filter thy lo0 (*), but my money is on a leak 
somewhere else (or someone running a 256mb RE :P).

(*) I always found it weird that JUNOS lacks a software filter for
access to things like SSH, like a line vty access-class on Crisco. 
Obviously a proper lo0 firewall filter is "better", but there have been
a few occasions where this has been problematic over the years
(logical-routers pre-firewall split where the integration with policy
was tricky, EX for the first year of its life where lo0 filters didn't
work, etc). Something as simple as a prefix-list dumping to hosts.allow
would probably be sufficient. Also being able to change the listen port
to something other than 22 might help the people who for whatever reason
aren't able to do a strict IP based filter (simple option under system
services ssh to pass to sshd).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list