Bugtraq mailing list archives
Re: Process table attack (from RISKS Digest)
From: unknown () RIVERSTYX NET (unknown () RIVERSTYX NET)
Date: Mon, 22 Feb 1999 15:49:45 -0800
Apache is also quite vulnerable, at least to a http DOS... It's pretty easy to swamp it by opening HARD_SERVER_LIMIT connections. It's also usually unnecessary to use a root-spawned daemon for the attack, as long as you can find more than one listening daemon. The per-user limit is often something like 1/2 the size of the process table. I know that under Linux it is by default (MAX_TASKS_PER_USER = NR_TASKS/2). In experimentation, I found that there was no need to use multiple machines or anything like that to perform the attack using Linux or FreeBSD. Sample code is at http://www.riverstyx.net/stuff/pbomb.pl. All that needed to be done on FreeBSD was increase MAX_OPEN. On Linux, NR_OPEN and MAX_OPEN needed to be increased. You might also have to fiddle with /proc/sys/kernel/file-max and ulimit. On a related note, on a Linux machine with Apache's HARD_SERVER_LIMIT higher than Linux' MAX_TASKS_PER_USER it'll do some pretty interesting stuff. You'll end up with a couple hundred instances of Apache that are unkillable by any method, all sitting on port 80 and not responding to anything beyond the inital connection. The only solution that I know if is to reboot at that point... On Sat, 20 Feb 1999, Mark Boolootian wrote:
Date: Fri, 19 Feb 1999 16:08:06 -0500From: "Simson L. Garfinkel" <simsong () vineyard net>Subject: Process-table attack Wide-ranging attack works against almost any UNIX systems on the Internet ABSTRACT: The Process Table Attack is a [relatively] new kind of denial-of-service attack that can be waged against numerous network services on a variety of different UNIX systems. The attack is launched against network services which fork() or otherwise allocate a new process for each incoming TCP/IP connection. Although the standard UNIX operating system places limits on the number of processes that any one user may launch, there are no limits on the number of processes that the superuser can create other than the hard limits imposed by the operating system. Since incoming TCP/IP connections are usually handled by servers that run as root, it is possible to completely fill a target machine's process table with multiple instantiations of network servers. Properly executed, this attack prevents any other command from being executed on the target machine.
<snippage>
Current thread:
- Process table attack (from RISKS Digest), (continued)
- Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
- Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)