[11824] in bugtraq
Re: remote DoS against inetd and ssh
daemon@ATHENA.MIT.EDU (Derek Callaway)
Fri Sep 10 18:27:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909081057380.20055-100000@pager.ce.net>
Date: Wed, 8 Sep 1999 11:07:27 -0400
Reply-To: Derek Callaway <super@CE.NET>
From: Derek Callaway <super@CE.NET>
X-To: Grzegorz Stelmaszek <greg@TENET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9909030845120.6553-100000@main.tenet.pl>
On Fri, 3 Sep 1999, Grzegorz Stelmaszek wrote:
<snip>
> Both DoS`s use something known as portfuck (e.g. `while true; do telnet
> host port & done`).
> 1. If you use it against any inetd service, inetd will shoutdown that
> service for about 30 minutes (i did not checked, but it seems to be about
> that time).
Of course this is also true for identd. A cracker doesn't have to be a
superuser on a machine in order to disable identd. This makes it
considerably more difficult for the administrators of the victim and
source hosts to recognize a perpetrator. identd (pidentd, anyway) does
not seem to be vulnerable to this when not being wrapped by inetd. I'm
not sure if inetd uses fork() to spawn services but if it does, a signal
handler should be implemented that restarts services upon receipt of
SIGCHLD.
<snip>
> SOLUTION:
> propaply running in ulimit envirmont (like qmail does) should help and
> additionally in inetd remove this strange 'protection'.
>
> regards,
> greg AKA VanitaS
>
> ***************************************************************************
> * Grzegorz Stelmaszek * For my public PGP key:
> * mailto:greg@tenet.pl * finger:greg@tenet.pl
> * http://www.tenet.pl * 18 E9 5E 6D 78 F0 11 F2
> ****************************** 45 CF CF 63 77 C0 A4 20
>
strcpy(hostent->h_name,"jerry.garcia.rocked.com");
Derek Callaway <super@ce.net>
Programmer -- CE Net, Inc.
