Re: DOS against SuSE's identd

[wiegand () SUSE DE (Volker Wiegand)]

On Mon, 16 Aug 1999, Danton Nunes wrote:

> Hendrik says:
> > The inetd.conf starts the identd with the options -w -t120
> > -e.
> > This means that one identd process waits 120 seconds after
> > answering the first request to answer later request.
>
> No. accordint to inetd's man page:
>
>        The  -t<seconds>  option  is  used  to specify the timeout
>        limit. This is the number of seconds a server started with
>        the -w flag will wait for new connections before terminat-
>        ing. The server is automatically restarted by inetd  when-
>        ever a new connection is requested if it has terminated. A
>        suitable value for this is 120 (2 minutes),  if  used.  It
>        defaults to no timeout (i.e. will wait forever, or until a
>        fatal condition occurs in the server).
>
> this does not mean that the server does nothing until <seconds>
> elapse. it listen to requests and serves them. if there is
> no request during the <seconds> period it dies. Many inetd-spawned
> servers do like this (e.g. xtacacsd). if something is going wrong
> it is not related to the -t120 flag. Maybe inetd does not know
> there is an identd on duty and spawns another copy.
No, no. It is actually not inetd who spawns new processes, it is really
the in.identd. In fact, inetd has a fork-resource-limit built in, so that
it will refuse to spawn new servers if more than 40 (by default) requests
come in for the same service.

The in.identd found on the SuSE distribution is version 2.7.4 of Peter
Eriksson's pidentd, and that would fork one process for every new client
request as long as it can breath.

> > Lets say we start 100 requests in a short period.
> > Due to the fact that it takes time to answer one request
> > more identd's will be started each eating up about 900kb
> > memory and waiting 120 seconds before terminating.
> > I tested this behaviour on different machines with different
> > hardware (RAM, Swap, NIC).
> > Each machine becomes unusable after some seconds.
> > This bug is in _every_ SuSE Version at least since 4.4.
>
> this bug (if the bug is the way inetd is invoked) is in almost
> every /etc/inetd.conf in the Unix galaxy, not specific to SuSE Linux.
No, again. Sorry. It can safely be regarded as a bug. The "bug" is to not
perform resource control. In that respect you are right, there are other
buggy servers out there on the net. Anyway, inetd itself is clean.

The obvious fix is to change the /etc/inetd.conf setting to "-i -e" which
we will consider. This uses more resources (as every server started goes
through the database reading functions), but is DoS attack safe.

There are two viable long term solutions. Either switch to version 3.x.x
of pidentd, but for various reasons we have not yet full confidence into
this major rewrite, mainly for warnings the author himself has expressed.
Please don't get that wrong, this *IS* excellent software. And in terms of
resource control this version is clean.

What we will be providing on a short term basis is a patched 2.7.4 with
the resource control built in. With that fix in place it will be clean
also and can be invoked with "-i", "-w" or "-b" at will.

> --
> Danton Nunes      |      Consultoria e Serviços de Acesso à Internet
> InterNexo Ltda.   |  http://www.inexo.com.br/  mailto:danton () inexo com br
> S.J.Campos,BRASIL |  PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5

We will shortly compile the fix and provide an advisory. Both will be
posted here when available.

Volker Wiegand

--
Volker Wiegand              Phone: +49 (0) 6196 / 50951-24
SuSE Rhein/Main AG i.G.       Fax: +49 (0) 6196 / 40 96 07
Mergenthalerallee 45-47    Mobile: +49 (0) 179 / 292 66 76
D-65760 Eschborn           E-Mail:  Volker.Wiegand () suse de