Add SCTP support to OpenSSH
Hello.
I don’t know how you do it, i never managed a(n exposed) server until
January and now that i use Alpine (thanks for your packaging effort)
instead of FreeBSD i think what i have to face are TCP RST attacks on
SSH connections, leading to “connection reset”s (of course).
My first reaction was something like “go UDP” but all i effectively need is SSH, so OpenVPN is much to fully blown for a bit of scp/ssh/git over ssh, and mosh (or a quick’n dirty shot with new OpenSSL and DTLS, plus pty plus sh) is a complete disruption of the workflow. And IPSec is really, really no no no.
Looking around a bit i found RFC 4953, “Defending TCP Against Spoofing
Attacks”, and that mentions SCTP in a few places, e.g., “Other transport
protocols, such as SCTP and DCCP, also have limited antispoofing
mechanisms” and “whereas others establish per-connection identity based
on exchanged nonces (e.g., SCTP)”.
Now i knew there was a SCTP patch floating for OpenSSH years ago, and it
is indeed actively maintained until today and even available in the
OpenSSH that Gentoo packages.
I’m not at all a network expert so i don’t know wether SCTP will really
helps against the particular attack i’m facing, but it sounds as if it
would address some problems in this area, and so i’m kindly asking for
inclusion of that actively maintained patch in the Alpine Linux OpenSSH
package.
I’ve downloaded the patch from [1], the OpenSSH bugzilla entries are
[2] and [3]. Note that the patch ([1]) needs itself a patch for
using SCTP via getopt aka command line (new -z option).
[1]
http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/openssh-7.2\_p1-sctp.patch.xz
[2] https://bugzilla.mindrot.org/show\_bug.cgi?id=1604
[3] https://bugzilla.mindrot.org/show\_bug.cgi?id=2016
(from redmine: issue id 5281, created on 2016-03-15)