Denial of service protection for NETCONF


Does NETCONF interface and/or the built-in SSH server include any controls to prevent denial of service attacks (e.g., rate limit SSH connection attempts and/or login attempts).

Best Regards,

See Erlang -- ssh


  • If set to false (the default value), only one login is handled at a time. If set to true, an unlimited number of login attempts are allowed simultaneously.

  • If the max_sessions option is set to N and parallel_login is set to true, the maximum number of simultaneous login attempts at any time is limited to N-K, where K is the number of authenticated connections present at this daemon.

Warning - Do not enable parallel_logins without protecting the server by other means, for example, by the max_sessions option or a firewall configuration. If set to true, there is no protection against DOS attacks.

The above configurables in confd.conf:

/confdConfig/ssh/parallelLogin (boolean) [false]
           By default parallel logins are disabled and will block more than one password authenticated session from seeing the password prompt. If enabled, then up to maxSessions minus
           active authenticated sessions will be shown password prompts.

and the maxSessions config under

           Parameters for limiting concurrent access to ConfD.

Best regards