Your browser does not allow storing cookies. We recommend enabling them.


Load Control

The purpose of load control is to help keep Tectia Server for IBM z/OS running when the load is high (that is, the number of current connections is near the maximum allowed number of connections). High load might be caused by a connection flood denial-of-service attack that tries to make the server unavailable to its intended users by using so much of its resources that normal service is disrupted.

Load control is implemented by keeping a "white list" of the IP addresses of connections that have had a successful authentication. When Tectia Server for IBM z/OS starts, the white list is empty. When the server's load is high, connections from IP addresses that are not on the white list (that is, connections that have not recently had a successful authentication) are discarded.

Load control uses four configuration variables in the sshd2_config file: MaxConnections, LoadControl.Active, LoadControl.DiscardLimit, and LoadControl.WhitelistSize.


It is recommended to set LoadControl.Active to yes, and MaxConnections to a proper value to prevent sshd2 from forking too many processes which might exceed the USS BPXPRMxx MAXPROCSYS value. It is also recommended to set MaxConnections to roughly half of the MAXPROCSYS value. Adjust the values of TcpListenBacklog, TcpListenRate, and TcpListenPause according to your CPU and network speeds.

The level of load is measured by how near the number of the server's current connections is to MaxConnections, the maximum number of connections that the server will handle simultaneously. The argument for MaxConnections is a positive number. The default value is 1000, and the value 0 (zero) means that the number of connections is not limited. MaxConnections must be greater than 1 when load control is used.

LoadControl.Active can have a value of yes or no. The default value is no (load control is disabled). To enable load control, set LoadControl.Active to yes.


If MaxConnections is set to 0 or 1, load control is disabled even if you have set LoadControl.Active to yes in the sshd2_config file.

When the number of concurrent connections is greater than LoadControl.DiscardLimit, connections from IP addresses that have not recently had a successful authentication are discarded. When the number of concurrent connections is not greater than LoadControl.DiscardLimit, connections are accepted from any IP address (subject to restrictions defined with AllowHosts and DenyHosts). The allowed value range of LoadControl.DiscardLimit is from 1 to MaxConnections-1. The default value is 90 percent of the value of MaxConnections. If you have not defined any configuration settings (that is, only sshd2_config default values are used), the value of LoadControl.DiscardLimit is 900.

Tectia Server for IBM z/OS keeps a list of the IP addresses of connections that have had a successful authentication. This "white list" has space for a fixed number of unique IP addresses, specified by LoadControl.WhitelistSize. The default value of LoadControl.WhitelistSize is 1000.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more