lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040620215116.GD13901@trimble.co.nz>
Date: Mon, 21 Jun 2004 09:51:16 +1200
From: Jason Haar <Jason.Haar@...mble.co.nz>
To: bugtraq@...urityfocus.com
Subject: Re: Multiple Antivirus Scanners DoS attack.


On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote:
> I have also checked the latest F-Prot for Windows - it scans the file for
> quite a long time, but finally does not crash and detects the virus
> signature.

Aren't we missing the point here? If I can construct a ~10K file that causes
an AV to hang for 20 mins+ - and I send 50 of them at your server - then
*even if they have no virus in them*, they will DoS you.

Isn't the solution that AVs need to have "resource limits" - where you as
the admin get to set:

* the max size that a file can be expanded to
* the max recursions you will do
* the max time you are willing to spend scanning a message (that would be
  hard - becomes a bit of a loop when under load..)
* the max memory you are willing to let your AV grow to

and if any of those conditions are exceeded, then the AV must block-and-exit
(perhaps with a "DoS" descriptor). That way larger sites who are willing to
throw more hardware at this problem can have larger limits - basically you
can set those values to match your environment.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ