Re: Process table attack (from RISKS Digest)

[chaos () strange net (Andrew Hobgood)]

> Subject: Process-table attack
>
> The Process Table Attack is a [relatively] new kind of denial-of-service
> attack that can be waged against numerous network services on a variety of
> different UNIX systems. The attack is launched against network services

This flaw isn't only limited to programs run from inetd (or other on-demand
forking servers).  Over a year ago, I reported a DoS attack present in the
"comsat" daemon (used to notify users of incoming mail).  That report can
be found at: http://geek-girl.com/bugtraq/1997_3/0398.html

Now, a simple way to avoid these kinds of denial of service attacks is to
watch for multiple connections to a port (especially ones with no data)
from a single source (at an IDS or firewall level).  You can then react
with logging the attempts, firewalling the connections, or even spoofing
connection resets to the local machine to clear out the connection table.

The major problem with that approach, however, is that some programs,
(the in.comsatd vulnerability, in particular) *look* like they're
performing normal activity when a denial of service attack is in progress.
Now, I'm sure that other programs exist that exhibit the same behavior,
and these provide an even more worrisome issue than the normal
forking-server family of daemons.

I hope this gets the gears rolling in some of the brighter minds out
there...

/Andrew Hobgood [http://web.strange.net | Kha0S on EFnet IRC (#LinuxOS)]