I'd like to withdraw the last set of metrics I reported. I couldn't reproduce some of them, and I suspect I made a mistake during testing. Being more careful this time, I set up another fully updated Ubuntu 24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all defaults unchanged. When running using "ssh-audit.py --conn-rate-test=16 target_host", the system idle time averaged over 60 seconds was 50%. The /var/log/auth.log file grew 73MB in this time (nearly 400,000 lines were messages produced by the new PerSourcePenalties logging in sshd.c:627). Next, I modified the logging in sshd.c:627 to always use SYSLOG_LEVEL_DEBUG1 instead of SYSLOG_LEVEL_INFO. Re-running the above test resulted in 73% average idle time and 8KB of log growth. Lastly, from an m7i.2xlarge source EC2 instance in AWS, I targeted an m7i.large instance using "ssh-audit --dheat=4:diffie-hellman-group18- sha512:4 target_host". In my original research article, this caused the average idle time to drop to 0.01%; against openssh-SNAP- 20240628.tar.gz with the log level in sshd.c:627 changed to DEBUG1, the idle time was observed to be 84%. My conclusion is that the default user configuration of PerSourcePenalties sufficiently stops the DHEat DoS. However, the logging implementation should be modified to prevent disk resource exhaustion. Aside from possibly changing the log level to VERBOSE (or DEBUG1?), perhaps the level can remain at INFO and message aggregation can be added (e.g.: the Linux kernel sometimes logs a single line followed by "(the above message was repeated 2168 times)"). - Joe _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
