Our ns1.grapheneos.org DNS server was targeted by a DoS attack yesterday. They didn't target the DNS service but rather... SSH. That's a new one.
Can see the traffic spike but it was hardly anything compared to the usual attacks. Still, SSH buckled.
nodeping.com/reports/status
Conversation
Replying to
If you're running recent OpenSSH sshd then check out PerSourceMaxStartups/PerSourceNetBlockSize for some anti-DoS measures
Also turning off the non-ECC key exchange algorithms removes the major CPU hogs. Something like:
KexAlgorithms=-diffie-hellman-*
should work
1
1
6
Replying to
It's the current stable release on Linux: OpenSSH_8.7p1, OpenSSL 1.1.1l 24 Aug 2021.
Configuration is at github.com/GrapheneOS/inf.
PerSourceMaxStartups would have helped a lot.
This was very small scale compared to the usual attacks on our web servers. It's weird to DoS SSH...
2
Replying to
PerSourceMaxStartups 1 and a dramatically higher value for MaxStartups like 4096 will at least make it a lot less trivial to DoS. I didn't realize it was so easy to cut off SSH access with the default configuration. Lesson learned since they seem to want to make a habit of this.
IPv6 is an annoyance for DoS in general. OVH only provides a /64 for dedicated servers and we primarily use standalone VPS instances. Since we use rsync across some of those, PerSourceNetBlockSize 32:64 isn't really an option. Would just have to either whitelist or disable IPv6.
1
OVH DDoS protection is also only for IPv4. I think they currently use these for their DoS firewall:
bittware.com/resources/case
Broad IPv6 adoption seems like it could be a huge problem for DoS mitigation without Cloudflare approach of a massive anycast network + reverse proxy.