<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.12.3">
</HEAD>
<BODY>
On Sun, 2007-05-27 at 08:59 -0700, Wolfgang S. Rupprecht wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Tom Rivers <<A HREF="mailto:tom@impact-crater.com">tom@impact-crater.com</A>> writes:</FONT>
<FONT COLOR="#000000">> On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote:</FONT>
<FONT COLOR="#000000">>> Such programs help you save the CPU time of sshd answering the</FONT>
<FONT COLOR="#000000">>> connection from a single abusive host, but would do little against a</FONT>
<FONT COLOR="#000000">>> distributed botnet attack. Luckily botnets aren't really used against</FONT>
<FONT COLOR="#000000">>> sshd yet, but it they were you'd potentially be seeing distributed</FONT>
<FONT COLOR="#000000">>> guessing attacks from 10,000 different hosts. If they all took turns</FONT>
<FONT COLOR="#000000">>> to guess a single password in round-robin fashion, the filters would</FONT>
<FONT COLOR="#000000">>> never trip.</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> You're right. What do you recommend to protect against this sort of</FONT>
<FONT COLOR="#000000">> attack?</FONT>
<FONT COLOR="#000000">There are two things to defend against, 1) attackers actually guessing</FONT>
<FONT COLOR="#000000">a working password 2) the system resources wasted answering the</FONT>
<FONT COLOR="#000000">attacks.</FONT>
<FONT COLOR="#000000">For the first one is easily taken care of by having the computer pick</FONT>
<FONT COLOR="#000000">a random number as a password for you. Remembering and typing</FONT>
<FONT COLOR="#000000">gibberish passwords is hard, so it is best to have the computer's</FONT>
<FONT COLOR="#000000">machinery do the drudge work. This is what ssh's RSA (and DSA)</FONT>
<FONT COLOR="#000000">mechanism does. It chooses a 1kbit long password for you and</FONT>
<FONT COLOR="#000000">effectively stores it for you so you never have to type it. It then</FONT>
<FONT COLOR="#000000">encrypts that 1kbit password with a "human" password you chose. This</FONT>
<FONT COLOR="#000000">password can be a really *bad* password (pets name, mother's maiden</FONT>
<FONT COLOR="#000000">name etc.) without any ill effects. The human-password is never used</FONT>
<FONT COLOR="#000000">by ssh for anything but decoding it's 1k-bit password on the local</FONT>
<FONT COLOR="#000000">machine when ssh starts up. The 1k-bit password is the one ssh uses</FONT>
<FONT COLOR="#000000">"on the wire". The fact that the attacker now has to guess the 1kbit</FONT>
<FONT COLOR="#000000">password is what makes the whole thing so safe. Doing an exhaustive</FONT>
<FONT COLOR="#000000">search on that takes many, many times the life of the universe.</FONT>
<FONT COLOR="#000000">(I didn't want to post this link in the last message, I've posted it</FONT>
<FONT COLOR="#000000">twice already and was afraid someone would think I was spamming the</FONT>
<FONT COLOR="#000000">same link repeatedly. SSH RSA setup:</FONT>
<FONT COLOR="#000000"><A HREF="http://www.wsrcc.com/wolfgang/sshd-config.html">http://www.wsrcc.com/wolfgang/sshd-config.html</A> )</FONT>
<FONT COLOR="#000000">As for the defense against the DDOS resource exhaustion of a</FONT>
<FONT COLOR="#000000">theoretical botnet sshd attack. I'm not sure you can do much but try</FONT>
<FONT COLOR="#000000">to change your IP address. Ultimately legislation will probably be</FONT>
<FONT COLOR="#000000">needed to fine the fools running virus-riddled computers that are</FONT>
<FONT COLOR="#000000">supplying the computer workforce for the botnets.</FONT>
</PRE>
</BLOCKQUOTE>
Hi, Wolfgang, <BR>
I am sur e you didn't mean to insult the folks who use our efforts, the users, but instead the designers of the bots themselves should be the ones in deep trouble. Even those who study and work dilligently at defense get hacked sometimes via the combination of total effort expended against them, and the fact that the hackers only need to "get it right once" as has been said by Rumsfeld in connection with terrorists. I believe that it is possible to have good security and still get hit. I mean, we have had banks for thousands of years, and they still get robbed. Do we blame the bankers?<BR>
<BR>
Regards,<BR>
Les H
</BODY>
</HTML>