Bugtraq mailing list archives
Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
From: "David S. Miller" <davem () davemloft net>
Date: Sat, 11 Sep 2004 20:47:10 -0700
On Sat, 11 Sep 2004 20:45:43 -0600 "Wolfpaw - Dale Corse" <admin () wolfpaw net> wrote:
As for it being an application bug - it may be one in Mysql not closing the sockets, but it is a Kernel Bug that allows CLOSE_WAIT sockets to clog up the connection queues, and cause a DOS conditions on other applications (such as Apache). Since most software used for denial of service is badly written (intentionally) to exploit the holes, the error should be fixed, not blamed on faulty software.
If the application doesn't close it's file descriptors there is absolutely nothing the kernel can do about it. It's a resource leak, plain and simple.
That being said - below is a the proper description, and the code used to exploit it. Hope it helps. This version is not the one which invokes the CLOSE_WAIT state, but rather the TIME_WAIT one, I am not able to publish the source code for the CLOSE_WAIT bug.
There is nothing wrong with creating tons of TIME_WAIT sockets, they simply time out after 60 seconds (unless hit by a RESET packet or similar). This is how TCP works.
The log however clearly shows that a mysql descriptor is closed, and then used immediately again by the socket call, which causes it never to end up getting closed. Linux apparently has either no timeout for CLOSE_WAIT, or it's a very very long one.. Either way is a bad thing.
Please do us all a favor and learn how TCP works. CLOSE_WAIT means simply that only one side of the TCP connection has done a close. Therefore the other end stays open until that side closes as well. There is no way to "time things out" or release the state.
Current thread:
- Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Wolfpaw - Dale Corse (Sep 13)
- Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service David S. Miller (Sep 13)
- <Possible follow-ups>
- RE: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Wolfpaw - Dale Corse (Sep 13)
- Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service David S. Miller (Sep 13)
- RE: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Ron DuFresne (Sep 13)