Hello, i have a question regarding SCTP support of OpenSSH. (I have searched the list, and it seems to show up periodically every two years, and since it's that time again i dare to ask...) It can't be described better than what i've placed in a bug report yesterday, so please let me (mostly) copy & paste that: Hello. I don't know how you do it, i never managed a(n exposed) server until January and now [.] i think what i have to face are TCP RST attacks on SSH connections, leading to "connection reset"s ["connection closed" on client side in fact] (of course). My first reaction was something like "go UDP" but all i effectively need is SSH, so OpenVPN is much to fully blown for a bit of scp/ssh/git over ssh, and mosh (or a quick'n dirty shot with new OpenSSL and DTLS, plus pty plus sh) is a complete disruption of the workflow. And IPSec is really, really no no no. Looking around a bit i found RFC 4953, "Defending TCP Against Spoofing Attacks", and that mentions SCTP in a few places, e.g., "Other transport protocols, such as SCTP and DCCP, also have limited antispoofing mechanisms" and "whereas others establish per-connection identity based on exchanged nonces (e.g., SCTP)". Now i knew there was a SCTP patch floating for OpenSSH years ago, and it is indeed actively maintained until today and even available in the OpenSSH that Gentoo packages. I'm not at all a network expert so i don't know wether SCTP will really helps against the particular attack i'm facing, but it sounds as if it would address some problems in this area, and so i'm kindly asking for inclusion of that actively maintained patch in place-your-favourite-OS(-distribution). I've downloaded the patch from [1], the OpenSSH bugzilla entries are [2] and [3]. Note that the patch ([1]) needs itself a patch for using SCTP via getopt aka command line (new -z option). [1] http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/openssh-7.2_p1-sctp.patch.xz [2] https://bugzilla.mindrot.org/show_bug.cgi?id=1604 [3] https://bugzilla.mindrot.org/show_bug.cgi?id=2016 Probably an expert can help answering the question wether SCTP would prevent TCP reset attacks (i guess what would be needed would be real confidence in mac/address/port of source). And if so, can't it be included in the portable version of OpenSSH? The initial comments of Markus Friedl and Darren Tucker didn't sound all that bad, imho, and the patch is actively maintained for many years. Thanks, and ciao, --steffen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev