Bugtraq mailing list archives
denial of service attack possible
From: Mark () MISTY COM (Mark Thomas)
Date: Fri, 27 Oct 1995 01:07:41 -0400
Hi, I posted this to sun-managers, but it has some nasty consequences if deliberately exploited. If anyone has any more info, or ideas for a fix, please let me know. Subject: denial of service problem on port 80 with 4.1.4 To: sun-managers () ra mcs anl gov Date: Fri, 27 Oct 1995 00:59:49 -0400 (EDT) I run a web server on a 110 MHz SPARC-5 clone running 4.1.4 with the below kernel and libc patches, and a second sbus FSBE SCSI and buffered ethernet card: 102264-02,102394-01,102422-01,102426-03,102430-01,102433-01,102516-02,102517-01,10 2536-01,102545-02 Last night, the machine completely stopped accepting connections on port 80 to the web server. netstat -an indicated: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 205.164.146.26.80 146.94.1.2.2972 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2763 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2762 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2612 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2611 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2610 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2609 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2541 SYN_RCVD tcp 0 0 *.80 *.* LISTEN These connections persisted over an hour, and finally I had to block the specific remote machine with a filter rule in the router, at which point the web server picked up with it's usual incoming connection activity. (greater than 10,000 web connections per hour) The explanation from the remote site was that they were running tia (The Internet Adapter), and that it was causing these problems, and they were working with the makers of the software to fix it. It concerns me that one remote site can so easily completely block all incoming tcp/ip connections on a port. Is this a kernel bug, or something I can take some measure to prevent on this end? I know it is not a httpd program related problem, because the problem persisted even when I tried running a completely differently designed web server program on that port. I am also wondering if this particular bug or problem might account for other periodic times when my machine takes a long time to accept incoming connections. If anyone has any more specifics on this problem, please let me know. When the server is healthy netstat indicates a couple SYN_RCVD state services, but they never last from one netstat command to another for the same remote IP. -Mark -- Mark G. Thomas (Mark () Misty com)
Current thread:
- Sendmail 8.7, 8.7.1, (continued)
- Sendmail 8.7, 8.7.1 Charles Howes (Oct 09)
- Re: Sendmail 8.7, 8.7.1 Casper Dik (Oct 10)
- Re: Sendmail 8.7, 8.7.1 SnoCrash (Oct 10)
- Re: Sendmail 8.7, 8.7.1 Andrew Cameron (Oct 10)
- Netscape problems (again)... Jay 'Whip' Grizzard (Oct 10)
- s-bits disappear ? Bernd Lehle (Oct 11)
- Re: s-bits disappear ? Neil Readwin (Oct 12)
- Sun's Loadmodule Patch Neil Woods (Oct 18)
- FW: WinNews Special Issue Scott Chasin (Oct 22)
- SunOS 5.5 Beta Aleph One (Oct 24)
- denial of service attack possible Mark Thomas (Oct 26)
- Re: denial of service attack possible Darren Reed (Oct 27)
- Re: denial of service attack possible Darrell Fuhriman (Oct 27)
- Re: denial of service attack possible Tom Fitzgerald (Oct 27)
- Re: denial of service attack possible Michael R. Widner (Oct 27)
- Re: denial of service attack possible Nathan Lawson (Oct 27)
- Re: Sendmail 8.7, 8.7.1 Casper Dik (Oct 10)
- Sendmail 8.7, 8.7.1 Charles Howes (Oct 09)