Re: iptables & tcp wrappers

From: Luis M (lemsx1_at_latinomixed.com)
Date: 10/05/04

  • Next message: Matthew Baker: "Re: iptables & tcp wrappers"
    To: Thomas Chiverton <thomas.chiverton@bluefinger.com>
    Date: Mon, 04 Oct 2004 21:40:20 -0400
    
    

    On Mon, 2004-10-04 at 17:20 +0100, Thomas Chiverton wrote:
    > On Sunday 03 Oct 2004 02:12 am, you said:
    > > sshd ssh: ALL : spawn ( /etc/firestarter/slap-this-bitch %a %d ) & :
    > > DENY # spawns a process that adds the offending IP to the blocked-hosts
    >
    > Handy DoS there if I can send packets faster than you can spawn and restart
    > the firewall, no ?

    Indeed it is possible, so this is not intended for a production server
    that handles a lot of requests per second.

    Now, it takes a few milliseconds to reload the script that enables the
    blocked-hosts file (and as you can see this spawn'ed process is sent to
    the background with the ampersand (&)); this means that if you do a lot
    of requests before the process is spawn'ed, the server will hold traffic
    to sshd for all sub-sequent requests (a mini-DoS you might say).
    However, a few milliseconds later you will be blocked for that IP, thus
    you will be forced to change IPs to continue DoS'ing the box.

    To minimize the possibility of DoS, this rule is the last in the
    hosts.allow file. And all other public services (ports) are declared
    before this rule. Yet, you have a point in that it may create a
    temporary DoS.

    In practice what I have seen is that IPs might get logged twice in the
    blocked-hosts file, but no more. And I have never been prevented to
    access any of the servers for which this rule is enabled.

    --
    ----)(----- 
    Luis M 
    System Administrator 
    LatinoMixed.com 
    lemsx1@latinomixed.com 
    One person's error is another person's data. 
    http://www.latinomixed.com/
    

  • Next message: Matthew Baker: "Re: iptables & tcp wrappers"

    Relevant Pages

    • Re: [Full-Disclosure] Search Engine XSS
      ... It would just be easier to ascertain the level of severity if an actual DoS string or this "trusted internal call" was exploited. ... > consider that the server must process the requests.. ... > DoS issue with enough length and quanity of the requests. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Search Engine XSS
      ... consider that the server must process the requests.. ... DoS issue with enough length and quanity of the requests. ...
      (Full-Disclosure)
    • Re: TCP/IP comms problems between WinXP and DOS
      ... I have written client and server versions ... In the instance where I have a problem the DOS system is running as client, ... By simple changing of i/p addresses / network names I have run the client ...
      (microsoft.public.dotnet.languages.vc)
    • Re: DOS Printing from Windows Server 2003 TS?
      ... STAT-NT03 is the TS server name. ... We will see if it works for the 5 remote users over the Internet. ... We have a customer who is still using and old DOS version of software ... could not find anything except a Kixstart script. ...
      (microsoft.public.windows.terminal_services)
    • RE: DOS ATTACK
      ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ...
      (Incidents)