Bugtraq mailing list archives

denial of service attack possible

From: Mark () MISTY COM (Mark Thomas)
Date: Fri, 27 Oct 1995 01:07:41 -0400

Hi,

I posted this to sun-managers, but it has some nasty consequences if deliberately
exploited.  If anyone has any more info, or ideas for a fix, please let me know.

Subject: denial of service problem on port 80 with 4.1.4
To: sun-managers () ra mcs anl gov
Date: Fri, 27 Oct 1995 00:59:49 -0400 (EDT)

I run a web server on a 110 MHz SPARC-5 clone running 4.1.4 with the below kernel
and libc patches, and a second sbus FSBE SCSI and buffered ethernet card:

102264-02,102394-01,102422-01,102426-03,102430-01,102433-01,102516-02,102517-01,10
2536-01,102545-02

Last night, the machine completely stopped accepting connections on port 80 to the
web server.

netstat -an indicated:
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0      0  205.164.146.26.80      146.94.1.2.2972        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2763        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2762        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2612        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2611        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2610        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2609        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2541        SYN_RCVD
tcp        0      0  *.80                   *.*                    LISTEN

These connections persisted over an hour, and finally I had to block the
specific remote machine with a filter rule in the router, at which point
the web server picked up with it's usual incoming connection activity.
(greater than 10,000 web connections per hour)

The explanation from the remote site was that they were running tia
(The Internet Adapter), and that it was causing these problems, and
they were working with the makers of the software to fix it.

It concerns me that one remote site can so easily completely block all
incoming tcp/ip connections on a port.  Is this a kernel bug, or something
I can take some measure to prevent on this end?

I know it is not a httpd program related problem, because the problem persisted
even when I tried running a completely differently designed web server program
on that port.  I am also wondering if this particular bug or problem might
account for other periodic times when my machine takes a long time to accept
incoming connections.

If anyone has any more specifics on this problem, please let me know.  When
the server is healthy netstat indicates a couple SYN_RCVD state services, but
they never last from one netstat command to another for the same remote IP.

-Mark

--
Mark G. Thomas (Mark () Misty com)

Current thread:

Sendmail 8.7, 8.7.1, (continued)
- Sendmail 8.7, 8.7.1 Charles Howes (Oct 09)
  - Re: Sendmail 8.7, 8.7.1 Casper Dik (Oct 10)
    - Re: Sendmail 8.7, 8.7.1 SnoCrash (Oct 10)
    - Re: Sendmail 8.7, 8.7.1 Andrew Cameron (Oct 10)
    - Netscape problems (again)... Jay 'Whip' Grizzard (Oct 10)
    - s-bits disappear ? Bernd Lehle (Oct 11)
    - Re: s-bits disappear ? Neil Readwin (Oct 12)
    - Sun's Loadmodule Patch Neil Woods (Oct 18)
    - FW: WinNews Special Issue Scott Chasin (Oct 22)
    - SunOS 5.5 Beta Aleph One (Oct 24)
    - denial of service attack possible Mark Thomas (Oct 26)
    - Re: denial of service attack possible Darren Reed (Oct 27)
    - Re: denial of service attack possible Darrell Fuhriman (Oct 27)
    - Re: denial of service attack possible Tom Fitzgerald (Oct 27)
    - Re: denial of service attack possible Michael R. Widner (Oct 27)
    - Re: denial of service attack possible Nathan Lawson (Oct 27)