Bugtraq mailing list archives

News DoS using sendsys

From: hafner () INFORMATIK TU-MUENCHEN DE (Walter Hafner)
Date: Wed, 26 Aug 1998 11:50:15 +0200


I think we (a local ISP in Augsburg/Germany ...) are hit by an DoS that
wasn't described here before:

Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
per day. The addresses of the people requesting the sendsys seem to be
completely random. They all seem to be normal user-accounts. We see
these sendsys requests for about a week now.

Since our INN is configured to report all 'unusual' control messages to
the news-administrators, rather than to execute it, the DoS doesn't hurt
us very much. My Mailfolder now usually looks like:

  N  2   Aug 26 News Subsystem     (74)   sendsys by ktakamura () hootmall com
  N  3   Aug 26 News Subsystem     (53)   sendsys by ritchie@pumpaloaf.dennon.
  N  4   Aug 26 News Subsystem     (64)   sendsys by ritchie@pumpaloaf.dennon.
  N  5   Aug 26 News Subsystem     (64)   sendsys by flaagg () not valid net
  N  6   Aug 26 News Subsystem     (66)   sendsys by ktakamura () hootmall com

The body of the mails look like:

jf enbg kg
wwt ncoy psb
bdoo ldb jg
aqk gsic jnsy
td mvdo gvui
mt uhlq pab
nicw vvk knb
kqqu ippi htji
bsp vpq hdm
[...]

I didn't bother to check the validity of the addresses (note the double
addresses).

I can imagine two impacts on small ISP's:

- the lines of the ISP can get overloaded (if you're a small ISP like we
are, and have only very limited bandwidth, this can be an issue)
- If you have only limited resources and use one machine to do Mail and
News, this machine will slow down considerably. Furthermore, your
spooling partition could overflow (if it is handling News _and_ Mail)
and throttle the INN.

Fortunately, this DoS is very easy to stop: Just make sure, that the
Newsserver doesn't reply to a 'sendsys' automatically.

-Walter

--
Walter Hafner_______________________________ hafner () in tum de
      <A href=http://www.in.tum.de/~hafner/>*CLICK*</A>
 The best observation I can make is that the BSD Daemon logo
 is _much_ cooler than that Penguin :-)   (Donald Whiteside)

Current thread:

specifics on cisco DOS? Roger Books (Aug 17)
- Re: specifics on cisco DOS? Jared Mauch (Aug 17)
  - Re: specifics on cisco DOS? George Phillips (Aug 25)
  - News DoS using sendsys Walter Hafner (Aug 26)
    - Re: News DoS using sendsys Nik Clayton (Aug 26)
    - Re: News DoS using sendsys Guezou Philippe (Aug 26)
    - Re: News DoS using sendsys Pat Barron (Aug 26)