Bugtraq mailing list archives
Re: News DoS using sendsys
From: mibsoft () mibsoftware com (Forrest J. Cavalier III)
Date: Wed, 26 Aug 1998 14:27:01 -0400
From: Walter Hafner <hafner () INFORMATIK TU-MUENCHEN DE>
Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests per day. The addresses of the people requesting the sendsys seem to be completely random. They all seem to be normal user-accounts. We see these sendsys requests for about a week now.
Part I: sendsys mailbombing --------------------------- The "From" addresses are all probably forged addresses. The sendsys message was sent from elsewhere to mailbomb the "From" address. Hundreds of sites around the internet will process the requests and generate one piece of mail each to the apparent originator. Disabling automatic sendsys processing is appropriate, as suggested. However.... Part II: the Denial of Service ------------------------------ INN processes control messages, including sendsys, by spawning a shell process, which in turn spawns numerous shell and other processes which decide what action to take with the message. A typical Usenet machine receives hundreds of messages per minute. Control messages are processed as they arrive, rather than waiting for the previous one to finish processing, it is possible to cause a machine load to skyrocket in short order. news.software.nntp has recently had a discussion on this topic. There is a third-party patch to "serialize" control message processing, which also more efficiently ignores messages, as it doesn't require the same shell-script processing.) Depending on the flavor of message filter you are using, you may be able to block control messages from being accepted. All stock versions of INN, from 1.4 (and perhaps earlier) to INN 2.1 are vulnerable. Current INN 2.x snapshots have an option to serialize control message processing, I believe.
Fortunately, this DoS is very easy to stop: Just make sure, that the Newsserver doesn't reply to a 'sendsys' automatically.
That removes the mailbombing characteristic, but only partially helps with the system load. Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: Free access! http://www.mibsoftware.com/innsup.htm
Current thread:
- Re: News DoS using sendsys Forrest J. Cavalier III (Aug 26)
- <Possible follow-ups>
- Re: News DoS using sendsys Scott Gifford (Aug 26)
- Re: News DoS using sendsys Russ Allbery (Aug 26)
- Re: News DoS using sendsys Andrew V. Kovalev (Aug 27)
- Re: News DoS using sendsys Charlesw (Aug 27)
- Re: News DoS using sendsys David Shaw (Aug 27)
- SV: SV: Serious Security Hole in Hotmail (URL to sourcecode) Jonathan James (Aug 27)
- Re: News DoS using sendsys Julian Cowley (Aug 27)
- Re: News DoS using sendsys Russ Allbery (Aug 27)
- Seyon Security Vulnerability SGI Security Coordinator (Aug 27)
- Re: Seyon Security Vulnerability Alan Cox (Aug 27)
- Re: News DoS using sendsys Andrew V. Kovalev (Aug 27)
(Thread continues...)