SSH Dheat attack vulnerability on our Netlify site?


We host a static Gatsby website for a customer who has reported vulnerability which was found during a security scan.

Reported vulnerability details below:

Title: SSH Dheat attack vulnerability

Synopsis: SSH server is vulnerable to denial of service vulnerability

Description: [CVE-2002-20001] The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth.

Solution: Disabling the Diffie-Hellman key exchange algorithms in the application server configurations mitigates the vulnerability. Using application server-specific rate limitation techniques or rate-limiting suspicious clients by their addresses (e.g. Fail2Ban) can effectively reduce the risk of a successful attack.

Findings: Vulnerable Diffie-Hellman KEXs supported by the server:

* Diffie-hellman-group-exchange-sha256
* diffie-hellman-group16-sha512
* diffie-hellman-group18-sha512
* diffie-hellman-group14-sha256

Port: 22/tcp

Site name:

Any ideas/suggestions regarding this issue? Can it be resolved?

Note that, any kinds of automated scans and tests on the platform without any written permission is against our Terms of Service.

Anyways, talking about your issue, is there a proof (of concept) of the exploit? A lot or automated tools return various different kinds of generic errors, which in most cases do not apply.