Bugtraq mailing list archives

Re: News DoS using sendsys

From: rra () STANFORD EDU (Russ Allbery)
Date: Wed, 26 Aug 1998 15:52:58 -0700


Walter Hafner <hafner () INFORMATIK TU-MUENCHEN DE> writes:

Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
per day. The addresses of the people requesting the sendsys seem to be
completely random. They all seem to be normal user-accounts. We see
these sendsys requests for about a week now.


Just today, the same folks switched to using newgroups.  Unfortunately,
the control message handling in INN is still implemented using shell
scripts that are spawned directly from the news server, making it fairly
easy for a large batch of these to drive the load average of a news server
through the roof and hurt its normal functioning.  This is particularly
true if, rather than receiving a real-time feed, you're receiving news in
batches, because then your upstream will happily batch all the control
messages for you and you'll get several hundred at once.

There are several possible solutions at different levels of complexity.

First, please make sure that your control.ctl file or the equivalent has a
line like:

        sendsys:*:*:drop

Otherwise, not only are you processing these, but you're also replying to
them, and hence mailbombing the targets of this attack (myself included).
This is a harassment attack aimed at anyone who posts to news.admin.*.

Second, if you're running a recent version of INN with a Perl spam filter,
add something like the following to your filter_innd.pl:

        return 'Supersede in control message'
            if (defined $hdr{Supersede} && defined $hdr{Control});
        return 'sendsys'
            if ($hdr{Control} =~ /^\s*sendsys/);

or grab the latest version of Jeremy Nixon's Cleanfeed spam filter from
<URL:http://www.exit109.com/~jeremy/news/cleanfeed.html>.

Finally, patches to turn INN's control message handling into a channel
feed have finally been written, and are in the current INN CVS tree.
These send control messages through a channel feed to a separate program
for processing, rather than having INN handle them, and that separate
program does serialization to reduce the load impact.

This whole section of INN is being reworked, which is good; it's long
overdue for a complete rethink.

--
Russ Allbery (rra () stanford edu)         <URL:http://www.eyrie.org/~eagle/>

Current thread:

Re: News DoS using sendsys Forrest J. Cavalier III (Aug 26)
- <Possible follow-ups>
- Re: News DoS using sendsys Scott Gifford (Aug 26)
- Re: News DoS using sendsys Russ Allbery (Aug 26)
  - Re: News DoS using sendsys Andrew V. Kovalev (Aug 27)
    - Re: News DoS using sendsys Charlesw (Aug 27)
  - Re: News DoS using sendsys David Shaw (Aug 27)
  - SV: SV: Serious Security Hole in Hotmail (URL to sourcecode) Jonathan James (Aug 27)
  - Re: News DoS using sendsys Julian Cowley (Aug 27)
  - Re: News DoS using sendsys Russ Allbery (Aug 27)
  - Seyon Security Vulnerability SGI Security Coordinator (Aug 27)
    - Re: Seyon Security Vulnerability Alan Cox (Aug 27)
    - SECURITY: new nfs-server packages available (fwd) Alan Cox (Aug 27)
    - Re: SECURITY: new nfs-server packages available (fwd) Paul Boehm (Aug 27)

(Thread continues...)