Bugtraq mailing list archives
Re: News DoS using sendsys
From: julian () LAVA NET (Julian Cowley)
Date: Thu, 27 Aug 1998 12:09:19 -1000
On Wed, 26 Aug 1998, Russ Allbery wrote:
Walter Hafner <hafner () INFORMATIK TU-MUENCHEN DE> writes:Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests per day. The addresses of the people requesting the sendsys seem to be completely random. They all seem to be normal user-accounts. We see these sendsys requests for about a week now.Just today, the same folks switched to using newgroups. Unfortunately, the control message handling in INN is still implemented using shell scripts that are spawned directly from the news server, making it fairly easy for a large batch of these to drive the load average of a news server through the roof and hurt its normal functioning. This is particularly true if, rather than receiving a real-time feed, you're receiving news in batches, because then your upstream will happily batch all the control messages for you and you'll get several hundred at once. There are several possible solutions at different levels of complexity. First, please make sure that your control.ctl file or the equivalent has a line like: sendsys:*:*:drop Otherwise, not only are you processing these, but you're also replying to them, and hence mailbombing the targets of this attack (myself included). This is a harassment attack aimed at anyone who posts to news.admin.*.
The worst thing about these attacks is that they all contain Supersedes headers, which amounts to a very subtle way of cancelling articles. Even if you have entries in your control.ctl file, it's too late to prevent the cancel because the Supersedes takes effect right in INN's main loop, far before the control scripts kick in. The only way to prevent the cancels is to "alias" out the site using excludes in the newsfeeds file. For instance, change this ME\ :!control,!junk/!local\ :: to this ME/a.site.which.is.sending.bad.sendsys.messages\ :!control,!junk/!local\ :: The only problem is identifying which site is actually sending the control messages, because the beginning of the Path is usually forged. One clue is that the server is usually wide open, allowing connections from anyone. ps. Thanks to Bossman for teaching me how all this stuff works.
Second, if you're running a recent version of INN with a Perl spam filter, add something like the following to your filter_innd.pl: return 'Supersede in control message' if (defined $hdr{Supersede} && defined $hdr{Control}); return 'sendsys' if ($hdr{Control} =~ /^\s*sendsys/); or grab the latest version of Jeremy Nixon's Cleanfeed spam filter from <URL:http://www.exit109.com/~jeremy/news/cleanfeed.html>. Finally, patches to turn INN's control message handling into a channel feed have finally been written, and are in the current INN CVS tree. These send control messages through a channel feed to a separate program for processing, rather than having INN handle them, and that separate program does serialization to reduce the load impact. This whole section of INN is being reworked, which is good; it's long overdue for a complete rethink. -- Russ Allbery (rra () stanford edu) <URL:http://www.eyrie.org/~eagle/>
Current thread:
- Re: News DoS using sendsys Forrest J. Cavalier III (Aug 26)
- <Possible follow-ups>
- Re: News DoS using sendsys Scott Gifford (Aug 26)
- Re: News DoS using sendsys Russ Allbery (Aug 26)
- Re: News DoS using sendsys Andrew V. Kovalev (Aug 27)
- Re: News DoS using sendsys Charlesw (Aug 27)
- Re: News DoS using sendsys David Shaw (Aug 27)
- SV: SV: Serious Security Hole in Hotmail (URL to sourcecode) Jonathan James (Aug 27)
- Re: News DoS using sendsys Julian Cowley (Aug 27)
- Re: News DoS using sendsys Russ Allbery (Aug 27)
- Seyon Security Vulnerability SGI Security Coordinator (Aug 27)
- Re: Seyon Security Vulnerability Alan Cox (Aug 27)
- SECURITY: new nfs-server packages available (fwd) Alan Cox (Aug 27)
- Re: SECURITY: new nfs-server packages available (fwd) Paul Boehm (Aug 27)
- Cisco response re PIX fragmentation issue Cisco Product Security Incident Response Team (Aug 27)
- NFS fix - TurboLinux 2.0 Scott Stone (Aug 27)
- StackGuard-protected Linux and a New StackGuard Compiler Crispin Cowan (Aug 27)
- Re: News DoS using sendsys Andrew V. Kovalev (Aug 27)
- Re: News DoS using sendsys Don Lewis (Aug 27)