Re: [WISPA] SSH DOS Killing Linux

[Tom DeReggi]

Thanks Steve! I think that should help alot.

Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband

----- Original Message ----- 
From: "Steve" <[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Sunday, January 07, 2007 11:52 AM
Subject: Re: [WISPA] SSH DOS Killing Linux


Have you installed software such as fail2ban which will block the ip
address after n number of failed ssh logins for n number of seconds.
Depending on the purpose of the server it may block internet access for
the client, but I wouldn't worry about that for my network.
I have it installed on all my linux boxes and it blocks the routine ssh
attacks that are all too common these days.

--

Tom DeReggi wrote:
We recently had a really nasty DOS attack that took down a large part
of our network across several cell sites, from the infected client all
the way to the Internet transit.
Take note that we identified the problem quickly and cured it quickly.
But.... This is the first time that this has occured in 5 years, as we
have a good number of smart design characteristics that have limited
the effects of most viruses on our network.  We stopped the attack, by
blocking SSH to the infected sub.  The average amount of traffic
crossing the entire network path from the client to the Internet was
about 500 kbps on average.  (This was a  20 mbps wireless link, and a
100mbps fiber trnasport link to the transit.). The two routers were a
P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3.  The damage was
that the CPU was nailed on both routers to about 99.9% using "TOP" to
monitor stats.  We varified that successful SSH sessions were not made
directly to the protected routers themselves.   Take note that the
wireless links were barely effected, it was the router 2 hops away
(Dual XEON) that got over loaded the most.  Our routers have been
tested to pass over 2 gbps of throughput easilly.  And have been load
tested to survive very small packets and high PPS adequately. The
infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir,
but not anything for PPS.  So I'm looking for reasons that the CPU got
overloaded.  My theory is that the DOS attack resulted in a large
number of disk writes, ( maybe logging?) causing the CPU saturation. 
I've had a hard time locating the cause. And have not discovered which
virus yet, although I should have more info soon from my clients.

So my question....

What needs to be done on a Linux machine to harden it, to protect
against CPU oversaturation, during DOS attacks?

What should and shouldn't be logged? Connection Tracking? Firewall
logging? Traffic stats?

Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/