| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Jun 2004 09:51:16 +1200 From: Jason Haar <Jason.Haar@...mble.co.nz> To: bugtraq@...urityfocus.com Subject: Re: Multiple Antivirus Scanners DoS attack. On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote: > I have also checked the latest F-Prot for Windows - it scans the file for > quite a long time, but finally does not crash and detects the virus > signature. Aren't we missing the point here? If I can construct a ~10K file that causes an AV to hang for 20 mins+ - and I send 50 of them at your server - then *even if they have no virus in them*, they will DoS you. Isn't the solution that AVs need to have "resource limits" - where you as the admin get to set: * the max size that a file can be expanded to * the max recursions you will do * the max time you are willing to spend scanning a message (that would be hard - becomes a bit of a loop when under load..) * the max memory you are willing to let your AV grow to and if any of those conditions are exceeded, then the AV must block-and-exit (perhaps with a "DoS" descriptor). That way larger sites who are willing to throw more hardware at this problem can have larger limits - basically you can set those values to match your environment. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Powered by blists - more mailing lists