Re: DOS against SuSE's identd

[danton () INEXO COM BR (Danton Nunes)]

Hendrik says:
> The inetd.conf starts the identd with the options -w -t120
> -e.
> This means that one identd process waits 120 seconds after
> answering the first request to answer later request.

No. accordint to inetd's man page:

       The  -t<seconds>  option  is  used  to specify the timeout
       limit. This is the number of seconds a server started with
       the -w flag will wait for new connections before terminat-
       ing. The server is automatically restarted by inetd  when-
       ever a new connection is requested if it has terminated. A
       suitable value for this is 120 (2 minutes),  if  used.  It
       defaults to no timeout (i.e. will wait forever, or until a
       fatal condition occurs in the server).

this does not mean that the server does nothing until <seconds>
elapse. it listen to requests and serves them. if there is
no request during the <seconds> period it dies. Many inetd-spawned
servers do like this (e.g. xtacacsd). if something is going wrong
it is not related to the -t120 flag. Maybe inetd does not know
there is an identd on duty and spawns another copy.

> Lets say we start 100 requests in a short period.
> Due to the fact that it takes time to answer one request
> more identd's will be started each eating up about 900kb
> memory and waiting 120 seconds before terminating.
> I tested this behaviour on different machines with different
> hardware (RAM, Swap, NIC).
> Each machine becomes unusable after some seconds.
> This bug is in _every_ SuSE Version at least since 4.4.

this bug (if the bug is the way inetd is invoked) is in almost
every /etc/inetd.conf in the Unix galaxy, not specific to SuSE Linux.

--
Danton Nunes      |      Consultoria e Serviços de Acesso à Internet
InterNexo Ltda.   |  http://www.inexo.com.br/  mailto:danton () inexo com br
S.J.Campos,BRASIL |  PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5