lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: 08 Sep 2003 12:44:55 -0700
From: Dan Stromberg <strombrg@....nac.uci.edu>
To: Thamer Al-Harbash <tmh@...tefang.com>
Cc: Dan Stromberg <strombrg@....nac.uci.edu>,
	3APA3A <3APA3A@...URITY.NNOV.RU>, bugtraq@...urityfocus.com
Subject: Re: 11 years of inetd default insecurity?

On Sun, 2003-09-07 at 18:46, Thamer Al-Harbash wrote:
> On Sat, 6 Sep 2003, 3APA3A wrote:
> 
> > Dear bugtraq@...urityfocus.com,
> >
> > Well,  we all blame Microsoft in insecure default configuration... Isn't
> > it time to clean outdated code in Unix?
> 
> This has been a known problem for quite a while. In fact
> D. J. Bernstein already solved it with tcpserver:
> 
> http://cr.yp.to/ucspi-tcp.html
> 
> If you look at the bottom he points out pretty much what you
> pointed out.

So DJB's program basically has a large listen queue, and goes into
queue-only mode after 40 concurrent connections?

If that's the case, then there's still a DOS - just fill the listen
queue with so much stuff that connections aren't serviced for a long
time.

-- 
Dan Stromberg DCS/NACS/UCI <strombrg@....nac.uci.edu>


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ