On Mon, Jun 16, 2008 at 03:52:59PM -0700, Iain MacDonnell wrote: > " MaxStartups > > Specifies the maximum number of concurrent unauthenti- > cated connections to the sshd daemon. Additional > connections are dropped until authentication succeeds or > the LoginGraceTime expires for a connection. The default > is 10. > > Alternatively, random early drop can be enabled by > specifying the three colon-separated values > start:rate:full (for example, 10:30:60). Referring to > this example, sshd refuse connection attempts with a > probability of rate/100 (30% in our example) if there > are currently 10 (from the start field) unauthenticated > connections. The probability increases linearly and all > connection attempts are refused if the number of unau- > thenticated connections reaches full (60 in our exam- > ple)."
Right, besides protecting against waste of computational resources it also protects against wasting too much state in the form of connected TCP sockets. I think it might be better to have a way to "brake" some connections without dropping them.
