Bugtraq mailing list archives

Re: Process table attack (from RISKS Digest)

From: jkb () BEST COM (Jan B. Koum)
Date: Mon, 22 Feb 1999 09:40:17 -0800


On Sat, Feb 20, 1999 at 01:42:53PM -0800, Mark Boolootian <booloo () cats ucsc edu> wrote:

Date: Fri, 19 Feb 1999 16:08:06 -0500

From: "Simson L. Garfinkel" <simsong () vineyard net>

Subject: Process-table attack

Wide-ranging attack works against almost any UNIX systems on the Internet

ABSTRACT:

The Process Table Attack is a [relatively] new kind of denial-of-service
attack that can be waged against numerous network services on a variety of
different UNIX systems. The attack is launched against network services
which fork() or otherwise allocate a new process for each incoming TCP/IP
connection.  Although the standard UNIX operating system places limits on
the number of processes that any one user may launch, there are no limits on
the number of processes that the superuser can create other than the hard
limits imposed by the operating system. Since incoming TCP/IP connections
are usually handled by servers that run as root, it is possible to
completely fill a target machine's process table with multiple
instantiations of network servers. Properly executed, this attack prevents
any other command from being executed on the target machine.


        I have not tested this, but I don't think this is true for at
        least FreeBSD. You see, it has what is called login limits and you
        can indeed put limits on root login user. From /etc/login.conf:

#root:\
#:cputime=infinity:\
#:datasize=infinity:\
#:stacksize=infinity:\
#:memorylocked=infinity:\
#:memoryuse=infinity:\
#:filesize=infinity:\
#:coredumpsize=infinity:\
#:openfiles=infinity:\
#:maxproc=infinity:\
#:memoryuse-cur=32M:\
#:maxproc-cur=64:\
#:openfiles-cur=1024:\
#:priority=0:\
#:requirehome@:\
#:umask=022:\
#:tc=auth-root-defaults:

        As far as I know (and I am sure 2829 peole will correct me if I am not),
        changing infinity to a numeric value should produce a desired result.
        AGAIN: I have not tested this yet for root user - but I know that the
        login limits do work for normal users.

-- Yan

Current thread:

Re: Pro/wuFTPD DoS Ultor (Feb 13)
- <Possible follow-ups>
- Re: Pro/wuFTPD DoS ga (Feb 15)
  - Re: Pro/wuFTPD DoS CyberPsychotic (Feb 17)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)
  - Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
    - Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
    - LSOF exploit c0nd0r (Feb 21)
    - Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
    - Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
    - ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
    - Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
    - Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
    - NetBus client 1.x overflow Daniel Rosowski (Feb 22)
    - Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
    - Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
    - Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
    - Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
    - Denial of service process table attacks John Conover (Feb 23)
    - Group kmem exploitable? Oliver Xymoron (Feb 23)

(Thread continues...)