[19411] in bugtraq
Re: inetd DoS exploit
daemon@ATHENA.MIT.EDU (Charles M. Hannum)
Wed Feb 28 02:12:10 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010227121814.E29838@mail.netbsd.org>
Date: Tue, 27 Feb 2001 12:18:14 -0800
Reply-To: "Charles M. Hannum" <root@IHACK.NET>
From: "Charles M. Hannum" <root@IHACK.NET>
X-To: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0102261633260.29130-100000@biocserver.BIOC.CWRU.Edu>; from jose@BIOCSERVER.BIOC.CWRU.EDU
on Mon, Feb 26, 2001 at 04:39:58PM -0500
On Mon, Feb 26, 2001 at 04:39:58PM -0500, Jose Nazario wrote:
> this can be stemmed in a number of ways:
>
> 1] using inetd, rate limit the connections. change a line like
>
> telnet stream tcp nowait root /usr/libexec/telnetd telnetd
>
> to
>
> telnet stream tcp nowait.1 root /usr/libexec/telnetd telnetd
>
> this will maximize the number of connections per minute on that service:
>
> (from an inetd manpage on OpenBSD 2.8)
Actually, that was implemented in NetBSD. But regardless, it's not
sufficient. All that does is adjust the threshold at which inetd
decides the server is `looping' and disables it. Setting it to 1, for
example, just makes the problem *much* worse. Setting it to, e.g.,
1000000 will effectively disable the hack, and is a reasonable
workaround if your machine can deal.
The real answer is to implement proper rate-limiting instead. A bonus
would be to implement it in a library (say, libwrap) that standalone
and `wait' services can also use.
