Bugtraq mailing list archives
Re: 11 years of inetd default insecurity?
From: Mike Tancsa <mike () sentex net>
Date: Mon, 08 Sep 2003 13:50:15 -0400
At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:
The problem is, remote attacker can establish as much connections per minute as bandwidth allows... Now, guess how inetd reacts if more than 256 connections received in one minute? It will disable service for next 10 minutes to help attack to succeed. Of cause, this is documented. Interval is not configurable. something likeJul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminatedwill appear in logs... If connection is closed by attacker before service actually starts, IP address of attacker will never be logged. IV. Workaround
Hi, On FreeBSD's inetd there is the -C option in conjunction with the -R option -C rate Specify the default maximum number of times a service can be invoked from a single IP address in one minute; the default is unlimited. May be overridden on a per-service basis with the "max-connections-per-ip-per-minute" parameter. -R rate Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations.You can run without either of these options, but then you risk a DoS from resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the RAM/Swap etc. Its problematic either way, but at least you can mitigate the effects somewhat if its a single host attacking.
---Mike
Current thread:
- 11 years of inetd default insecurity? 3APA3A (Sep 06)
- Re: 11 years of inetd default insecurity? Thamer Al-Harbash (Sep 08)
- Re: 11 years of inetd default insecurity? Dan Stromberg (Sep 08)
- Re: 11 years of inetd default insecurity? Andres Kroonmaa (Sep 10)
- Re: 11 years of inetd default insecurity? Dan Stromberg (Sep 08)
- Re: 11 years of inetd default insecurity? Dagmar d'Surreal (Sep 08)
- Re: 11 years of inetd default insecurity? Mike Hoskins (Sep 09)
- Re: 11 years of inetd default insecurity? Mike Tancsa (Sep 08)
- Re: 11 years of inetd default insecurity? Jonathan A. Zdziarski (Sep 10)
- Re: 11 years of inetd default insecurity? Greg A. Woods (Sep 10)
- Re: 11 years of inetd default insecurity? Jonathan A. Zdziarski (Sep 10)
- Re: 11 years of inetd default insecurity? Dan Harkless (Sep 09)
- Re: 11 years of inetd default insecurity? Darren Pilgrim (Sep 09)
- <Possible follow-ups>
- Re: 11 years of inetd default insecurity? Paul Szabo (Sep 08)
- Re[2]: 11 years of inetd default insecurity? 3APA3A (Sep 08)
- Re: 11 years of inetd default insecurity? Lucas Holt (Sep 08)
- Re: Re[2]: 11 years of inetd default insecurity? Paul Szabo (Sep 08)
- Re[4]: 11 years of inetd default insecurity? 3APA3A (Sep 08)
- RE: 11 years of inetd default insecurity? bjornar.bjorgum.larsen (Sep 09)
- Re: 11 years of inetd default insecurity? Thamer Al-Harbash (Sep 08)