|
|
BugTraq
11 years of inetd default insecurity? Sep 06 2003 02:08PM 3APA3A (3APA3A SECURITY NNOV RU) (5 replies) Re: 11 years of inetd default insecurity? Sep 08 2003 01:46AM Thamer Al-Harbash (tmh whitefang com) (1 replies) Re: 11 years of inetd default insecurity? Sep 08 2003 07:44PM Dan Stromberg (strombrg dcs nac uci edu) (1 replies) Re: 11 years of inetd default insecurity? Sep 07 2003 09:59PM Dagmar d'Surreal (dagmar wants nospam com) (1 replies) |
|
Privacy Statement |
>The problem is, remote attacker can establish as much connections per
>minute as bandwidth allows... Now, guess how inetd reacts if more than
>256 connections received in one minute? It will disable service for next
>10 minutes to help attack to succeed. Of cause, this is documented.
>Interval is not configurable.
>
>something like
>
>Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service
>terminated
>
>will appear in logs... If connection is closed by attacker before
>service actually starts, IP address of attacker will never be logged.
>
>IV. Workaround
Hi,
On FreeBSD's inetd there is the -C option in conjunction with the -R option
-C rate
Specify the default maximum number of times a service can be
invoked from a single IP address in one minute; the default is
unlimited. May be overridden on a per-service basis with the
"max-connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
You can run without either of these options, but then you risk a DoS from
resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the
RAM/Swap etc. Its problematic either way, but at least you can mitigate
the effects somewhat if its a single host attacking.
---Mike
[ reply ]