[nycbug-talk] another thread: sshd zombie attacks
Jerry B. Altzman
jbaltz at 3phasecomputing.com
Wed May 20 10:44:56 EDT 2009
on 5/20/2009 10:11 AM Miles Nordin said the following:
>>>>>> "jba" == Jerry B Altzman <jbaltz at 3phasecomputing.com> writes:
> jba> Not everyone could easily have used VPN software at the time.
> accordingto ike-ng working group mailing list, IKEv1 is full of DoS.
Stipulated, but that is orthogonal to my original point.
> not that it actually gets DoS'd in practice, but just saying, if you
> are imagining VPN layer makes it ``proper,'' foolproof, nope. in fact
I never believed that -- only that we couldn't apply VPN pixie-dust to
stop the *ssh* DOS we were experiencing due to other constraints we had.
Remember: the goal I had at the time was to stop the *ssh* DOS, not to
pre-emptively fix every security hole we had. (We ended up taking more
measures later.) We saw:
- with ssh on port 22, much ssh DOS
- with ssh on port !22, no ssh DOS
That was my only point.
//jbaltz
--
jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405
More information about the talk
mailing list