Bugtraq mailing list archives
Re: Process table attack (from RISKS Digest)
From: chaos () strange net (Andrew Hobgood)
Date: Tue, 23 Feb 1999 01:03:25 -0500
Subject: Process-table attack The Process Table Attack is a [relatively] new kind of denial-of-service attack that can be waged against numerous network services on a variety of different UNIX systems. The attack is launched against network services
This flaw isn't only limited to programs run from inetd (or other on-demand forking servers). Over a year ago, I reported a DoS attack present in the "comsat" daemon (used to notify users of incoming mail). That report can be found at: http://geek-girl.com/bugtraq/1997_3/0398.html Now, a simple way to avoid these kinds of denial of service attacks is to watch for multiple connections to a port (especially ones with no data) from a single source (at an IDS or firewall level). You can then react with logging the attempts, firewalling the connections, or even spoofing connection resets to the local machine to clear out the connection table. The major problem with that approach, however, is that some programs, (the in.comsatd vulnerability, in particular) *look* like they're performing normal activity when a denial of service attack is in progress. Now, I'm sure that other programs exist that exhibit the same behavior, and these provide an even more worrisome issue than the normal forking-server family of daemons. I hope this gets the gears rolling in some of the brighter minds out there... /Andrew Hobgood [http://web.strange.net | Kha0S on EFnet IRC (#LinuxOS)]
Current thread:
- LSOF exploit, (continued)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
- Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
- Re: ISS install.iss security hole Peter Benie (Feb 22)