Re: 11 years of inetd default insecurity?

From: Mike Tancsa (mike_at_sentex.net)
Date: 09/08/03

  • Next message: Luigi Auriemma: "Rogerwilco 1.4.1.2 and 1.4.1.6 remix of bugs" 
    Date: Mon, 08 Sep 2003 13:50:15 -0400
To: bugtraq@securityfocus.com

    At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:

    >The problem is, remote attacker can establish as much connections per
    >minute as bandwidth allows... Now, guess how inetd reacts if more than
    >256 connections received in one minute? It will disable service for next
    >10 minutes to help attack to succeed. Of cause, this is documented.
    >Interval is not configurable.
    >
    >something like
    >
    >Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service
    >terminated
    >
    >will appear in logs... If connection is closed by attacker before
    >service actually starts, IP address of attacker will never be logged.
    >
    >IV. Workaround

    Hi,
    On FreeBSD's inetd there is the -C option in conjunction with the -R option

          -C rate
                  Specify the default maximum number of times a service can be
                  invoked from a single IP address in one minute; the default is
                  unlimited. May be overridden on a per-service basis with the
                  "max-connections-per-ip-per-minute" parameter.

          -R rate
                  Specify the maximum number of times a service can be invoked in
                  one minute; the default is 256. A rate of 0 allows an unlimited
                  number of invocations.

    You can run without either of these options, but then you risk a DoS from
    resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the
    RAM/Swap etc. Its problematic either way, but at least you can mitigate
    the effects somewhat if its a single host attacking.

             ---Mike

  • Next message: Luigi Auriemma: "Rogerwilco 1.4.1.2 and 1.4.1.6 remix of bugs"
    • Quantcast