Bugtraq mailing list archives
Re: DOS against SuSE's identd
From: wiegand () SUSE DE (Volker Wiegand)
Date: Wed, 18 Aug 1999 07:27:31 +0200
On Mon, 16 Aug 1999, Danton Nunes wrote:
Hendrik says:The inetd.conf starts the identd with the options -w -t120 -e. This means that one identd process waits 120 seconds after answering the first request to answer later request.No. accordint to inetd's man page: The -t<seconds> option is used to specify the timeout limit. This is the number of seconds a server started with the -w flag will wait for new connections before terminat- ing. The server is automatically restarted by inetd when- ever a new connection is requested if it has terminated. A suitable value for this is 120 (2 minutes), if used. It defaults to no timeout (i.e. will wait forever, or until a fatal condition occurs in the server). this does not mean that the server does nothing until <seconds> elapse. it listen to requests and serves them. if there is no request during the <seconds> period it dies. Many inetd-spawned servers do like this (e.g. xtacacsd). if something is going wrong it is not related to the -t120 flag. Maybe inetd does not know there is an identd on duty and spawns another copy.
No, no. It is actually not inetd who spawns new processes, it is really the in.identd. In fact, inetd has a fork-resource-limit built in, so that it will refuse to spawn new servers if more than 40 (by default) requests come in for the same service. The in.identd found on the SuSE distribution is version 2.7.4 of Peter Eriksson's pidentd, and that would fork one process for every new client request as long as it can breath.
Lets say we start 100 requests in a short period. Due to the fact that it takes time to answer one request more identd's will be started each eating up about 900kb memory and waiting 120 seconds before terminating. I tested this behaviour on different machines with different hardware (RAM, Swap, NIC). Each machine becomes unusable after some seconds. This bug is in _every_ SuSE Version at least since 4.4.this bug (if the bug is the way inetd is invoked) is in almost every /etc/inetd.conf in the Unix galaxy, not specific to SuSE Linux.
No, again. Sorry. It can safely be regarded as a bug. The "bug" is to not perform resource control. In that respect you are right, there are other buggy servers out there on the net. Anyway, inetd itself is clean. The obvious fix is to change the /etc/inetd.conf setting to "-i -e" which we will consider. This uses more resources (as every server started goes through the database reading functions), but is DoS attack safe. There are two viable long term solutions. Either switch to version 3.x.x of pidentd, but for various reasons we have not yet full confidence into this major rewrite, mainly for warnings the author himself has expressed. Please don't get that wrong, this *IS* excellent software. And in terms of resource control this version is clean. What we will be providing on a short term basis is a patched 2.7.4 with the resource control built in. With that fix in place it will be clean also and can be invoked with "-i", "-w" or "-b" at will.
-- Danton Nunes | Consultoria e Serviços de Acesso à Internet InterNexo Ltda. | http://www.inexo.com.br/ mailto:danton () inexo com br S.J.Campos,BRASIL | PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5
We will shortly compile the fix and provide an advisory. Both will be posted here when available. Volker Wiegand -- Volker Wiegand Phone: +49 (0) 6196 / 50951-24 SuSE Rhein/Main AG i.G. Fax: +49 (0) 6196 / 40 96 07 Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76 D-65760 Eschborn E-Mail: Volker.Wiegand () suse de
Current thread:
- Possible Denial Of Service using DNS Carlos Veira (Aug 10)
- Re: Possible Denial Of Service using DNS marka () ISC ORG (Aug 10)
- Re: Possible Denial Of Service using DNS David Schwartz (Aug 10)
- QMS 2060 printer security hole Frank Bures (Aug 18)
- DOS against SuSE's identd Hendrik Scholz (Aug 14)
- Re: DOS against SuSE's identd Danton Nunes (Aug 16)
- Re: DOS against SuSE's identd Volker Wiegand (Aug 17)
- Re: DOS against SuSE's identd Alan Brown (Aug 16)
- AOL Buffer Overflow??? Robert Graham (Aug 16)
- Re: DOS against SuSE's identd Seth R Arnold (Aug 17)
- Re: DOS against SuSE's identd Danton Nunes (Aug 16)
- Mandrake 6.0 .Xauthority Elmer Joandi (Aug 15)
- IE5 ACL protected pages viewable from cache by unauthorized user J.Kent Robinson (Aug 15)
- Re: IE5 ACL protected pages viewable from cache by unauthorized user David Schwartz (Aug 16)
- Possible Windows 9x Shared Printers Security Hole Luis Martin-Santos (Aug 15)
- Re-release: Microsoft Security Bulletin (MS99-029) Aleph One (Aug 16)
- Re: Possible Windows 9x Shared Printers Security Hole x-empt [ lvhc / lou ] (Aug 16)