[35419] in bugtraq
Re: Multiple Antivirus Scanners DoS attack.
daemon@ATHENA.MIT.EDU (Jason Haar)
Tue Jun 22 02:24:32 2004
Date: Mon, 21 Jun 2004 09:51:16 +1200
From: Jason Haar <Jason.Haar@trimble.co.nz>
To: bugtraq@securityfocus.com
Message-ID: <20040620215116.GD13901@trimble.co.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.58L.0406170850060.13324@pingwin.ani>
On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote:
> I have also checked the latest F-Prot for Windows - it scans the file for
> quite a long time, but finally does not crash and detects the virus
> signature.
Aren't we missing the point here? If I can construct a ~10K file that causes
an AV to hang for 20 mins+ - and I send 50 of them at your server - then
*even if they have no virus in them*, they will DoS you.
Isn't the solution that AVs need to have "resource limits" - where you as
the admin get to set:
* the max size that a file can be expanded to
* the max recursions you will do
* the max time you are willing to spend scanning a message (that would be
hard - becomes a bit of a loop when under load..)
* the max memory you are willing to let your AV grow to
and if any of those conditions are exceeded, then the AV must block-and-exit
(perhaps with a "DoS" descriptor). That way larger sites who are willing to
throw more hardware at this problem can have larger limits - basically you
can set those values to match your environment.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
