Bugtraq mailing list archives
Re: Process table attack (from RISKS Digest)
From: james () VANEYCK GII GETTY EDU (James Lockwood)
Date: Mon, 22 Feb 1999 14:33:23 -0800
On Sat, 20 Feb 1999, Mark Boolootian wrote:
The Process Table Attack is a [relatively] new kind of denial-of-service attack that can be waged against numerous network services on a variety of different UNIX systems. The attack is launched against network services
Although not without quirks, I recommend that anyone interested in defending against this attack take a look at xinetd. It solves these problems and others, and has been available for a number of years (I started using it in 1993): (xinetd README) ] Q. Why should I use it ? ] A. Because it is a lot better (IMHO) than inetd. Here are the reasons: ] ] 4) It can prevent denial-of-access attacks by ] a. placing limits on the number of servers for each service ] (avoids process table overflows) ] b. placing an upper bound on the number of processes it will fork ] c. placing limits on the size of log files it creates
2. Alternatively, if there are more than a preset number of network daemons for the service running, incoming requests should be queued rather than serviced.
This is the approach that xinetd takes: (xinetd.conf manpage) ] instances determines the number of servers that can ] be simultaneously active for a service (the ] default is no limit). The value of this ] attribute can be either a number or UNLIM- ] ITED which means that there is no limit.
3. Network services (such as finger) should implement timeouts. For example, the statement alarm(30) could be inserted into the finger daemon source code so that the program would stop running after 30 seconds of execution.
Or, better yet, a timeout option should be implemented in the inetd daemon. I have added this to my local copy of xinetd 2.2.1 with the following syntax: timeout = 30 # 30-second timeout timeoutsig = SIGINT # signal to send when timeout is hit Modifications are fairly trivial, does anyone know if Jan Wedekind and Chuck Murcko are still maintaining it?
[Simson informed me over a year ago that he had discovered this attack and had notified many relevant operating system vendors. To the best of my knowledge, no one has addressed the problem in the intervening year.
Again, check out xinetd. It's not new and flashy (and it doesn't work with TLI services) but is does the job well. I have found it to be rock-solid. -James -- James D. Lockwood The (former) Getty Information Institute System Administrator 1200 Getty Center Drive, Suite 300 james () gii getty edu Los Angeles, CA 90049-1680
Current thread:
- Re: Pro/wuFTPD DoS, (continued)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)