Conversation

Our ns1.grapheneos.org DNS server was targeted by a DoS attack yesterday. They didn't target the DNS service but rather... SSH. That's a new one. Can see the traffic spike but it was hardly anything compared to the usual attacks. Still, SSH buckled. nodeping.com/reports/status

Replying to

If you're running recent OpenSSH sshd then check out PerSourceMaxStartups/PerSourceNetBlockSize for some anti-DoS measures Also turning off the non-ECC key exchange algorithms removes the major CPU hogs. Something like: KexAlgorithms=-diffie-hellman-* should work

Daniel Micay

@DanielMicay

Replying to

@damienmiller

It's the current stable release on Linux: OpenSSH_8.7p1, OpenSSL 1.1.1l 24 Aug 2021. Configuration is at github.com/GrapheneOS/inf. PerSourceMaxStartups would have helped a lot. This was very small scale compared to the usual attacks on our web servers. It's weird to DoS SSH...

github.com

infrastructure/sshd_config at main · GrapheneOS/infrastructure

Shared server infrastructure. Contribute to GrapheneOS/infrastructure development by creating an account on GitHub.

4:17 AM · Sep 6, 2021Twitter Web App

Replying to

that's recent enough to support PerSourceMaxStartups

Replying to

PerSourceMaxStartups 1 and a dramatically higher value for MaxStartups like 4096 will at least make it a lot less trivial to DoS. I didn't realize it was so easy to cut off SSH access with the default configuration. Lesson learned since they seem to want to make a habit of this.

Show replies

Replying to

and

They stopped pretty much immediately once it started causing rejected connections. The intention appears to have been testing how easily they could cause a disruption. Traffic burst only lasted about a minute. I assume they're going to start bothering us regularly with this now.