Re: inetd DoS exploit

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

On Sun, 25 Feb 2001, Serega[linux] wrote:

> [ser@ihg prog]$ cc inetddos.c -o inetddos
> [ser@ihg prog]$ ./inetddos 127.0.0.1 21
> DoS OK

(code snipped)

*hrm* ok. this is old. see also the inetd process table attack.
http://www.interesting-people.org/199902/0069.html

this can be stemmed in a number of ways:

1] using inetd, rate limit the connections. change a line like

telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd

to

telnet  stream  tcp     nowait.1  root    /usr/libexec/telnetd    telnetd

this will maximize the number of connections per minute on that service:

(from an inetd manpage on OpenBSD 2.8)

The optional ``max'' suffix (separated from ``wait'' or ``nowait'' by a
dot) specifies the maximum number of server instances that may be spawned
from inetd within an interval of 60 seconds.  When omitted, ``max''
defaults to 40.

2] inetd -R. (again from OpenBSD's 2.8 manpage for inetd)

     -R rate
             Specify the maximum number of times a service can be invoked
             in one minute; the default is 256.

i believe the inetd in Linux, which is derived from BSD's inetd, has these
features. at least the last time i looked at the code (eons ago) it did.

3] move to xinetd or other similar programs which have rate limiting.
solar designer has a neat-o patch for xinetd that can do max-per-IP
limits. very nice ... :)

anyhow, old, mitigations are alreay in place, just learn to use them.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)