[6758] in bugtraq
Re: easy DoS in most RPC apps
daemon@ATHENA.MIT.EDU (Bill Trost)
Wed May 13 21:15:09 1998
Date: Wed, 13 May 1998 16:46:22 -0700
Reply-To: Bill Trost <trost@CLOUD.RAIN.COM>
From: Bill Trost <trost@CLOUD.RAIN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of Tue, 12 May 1998 19:41:21 +0200.
<Pine.LNX.3.96.980512193407.10592J-100000@koek.attic.vuurwerk.nl>
Peter van Dijk writes:
Update: I tested the same trick on two NeXT Mach's. The portmapper is
vulnerable there, as are possibly other services. NFS is not (not
directly, a non-working portmapper does have it's effect) because it only
uses UDP.
NFS might have problems on a server that also supports NFS over TCP.
FreeBSD-current seems to have the problem, too (tested against both
amd and portmapper). The amd one is sort of amusing, as it means that
accesses via it will *hang* so long as the attack is in progress.
I also tried it against the portmapper on SunOS 4.1.3, with similar results.
I also wonder what the effect of this attack could be if combined with
T/TCP and multicast....
I have reported the bug to the FreeBSD folks.
> On Sat, 28 Mar 1998, Peter van Dijk wrote:
> > If you connect (using telnet, netcat, anything) to a TCP port assigned to
> > some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware
> > 3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5
> > seconds or faster, the service will completely stop responding.
