[1061] in linux-security and linux-alert archive
Re: [linux-security] inetd and denial-of-service
daemon@ATHENA.MIT.EDU (Sam Quigley)
Sat Aug 24 19:18:40 1996
Date: Thu, 22 Aug 1996 10:46:20 -0700 (PDT)
From: Sam Quigley <poodge@econ.Berkeley.EDU>
To: shagboy@bluesky.net
cc: Joel Maslak <j@pobox.com>,
Linux Security Mailing List <linux-security@tarsier.cv.nrao.edu>
In-Reply-To: <Pine.LNX.3.91.960821225700.133A-100000@cirrus.bluesky.net>
On Wed, 21 Aug 1996, Racer X wrote:
> > 2. Block access to all ports except from "trusted sites". This assumes a
> > open environment where the network medium is generally trusted. Note that
> > IP spoofing attacks can occur if the network is not trusted.
>
> This can be done with TCP wrappers.
>
> [REW: Not quite. If inetd drops the port, tcpd won't get started.
> Another problem is that a tcpd is started for every connection. This
> means that state would have to be passed by files, creating locking
> problems etc etc. -> Not trivial. Inetd seems fine to me.]
I don't know a whole hell of a lot about xinetd, but I do know that it
allows some sort of control over connections in the same style that TCP
wrappers does. Perhaps xinetd would be a good solution for this?
-sq