[nycbug-talk] another thread: sshd zombie attacks

Miles Nordin carton at Ivy.NET
Wed May 20 10:11:18 EDT 2009


>>>>> "jba" == Jerry B Altzman <jbaltz at 3phasecomputing.com> writes:

   jba> Not everyone could easily have used VPN software at the time.

accordingto ike-ng working group mailing list, IKEv1 is full of DoS.

not that it actually gets DoS'd in practice, but just saying, if you
are imagining VPN layer makes it ``proper,'' foolproof, nope.  in fact
just the opposite because none of your tricks to remain open to
Internet but avoid DoS will work with a closed-source appliance.
(auto blacklist on fail won't work, can't move IKE port numbers unless
you use proprietary/slow TCP NAT-T)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090520/da2f204e/attachment.bin>


More information about the talk mailing list