lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.0.20030908134545.06dd9dd8@209.112.4.2>
Date: Mon, 08 Sep 2003 13:50:15 -0400
From: Mike Tancsa <mike@...tex.net>
To: bugtraq@...urityfocus.com
Cc: 3APA3A@...URITY.NNOV.RU
Subject: Re: 11 years of inetd default insecurity?


At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:

>The  problem  is,  remote attacker can establish as much connections per
>minute  as  bandwidth allows... Now, guess how inetd reacts if more than
>256 connections received in one minute? It will disable service for next
>10   minutes   to  help attack to succeed. Of cause, this is documented.
>Interval is not configurable.
>
>something like
>
>Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service 
>terminated
>
>will  appear  in  logs...  If  connection  is  closed by attacker before
>service actually starts, IP address of attacker will never be logged.
>
>IV. Workaround

Hi,
On FreeBSD's inetd there is the -C option in conjunction with the -R option

      -C rate
              Specify the default maximum number of times a service can be
              invoked from a single IP address in one minute; the default is
              unlimited.  May be overridden on a per-service basis with the
              "max-connections-per-ip-per-minute" parameter.

      -R rate
              Specify the maximum number of times a service can be invoked in
              one minute; the default is 256.  A rate of 0 allows an unlimited
              number of invocations.

You can run without either of these options, but then you risk a DoS from 
resource starvation.  e.g. invoke 1000 copies of ftpd and eat up all the 
RAM/Swap etc.  Its problematic either way, but at least you can mitigate 
the effects somewhat if its a single host attacking.

         ---Mike 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ