Re: denial of service - inetd on solaris 2.4?

[casper () holland Sun COM (Casper Dik)]

> I discovered on our solaris 2.4 boxes, that if you telnet to
> the discard port, then quit telnet (using control-right-bracket
> and quit), you leave a single inetd running in an infinite
> read loop. Do this twice, and you get two inetds running...
>
> obviously you can quickly bog the machine down to a standstill..
> This doesnt happen on solaris 2.5, so I guess it is some
> inetd bug thats been fixed? anyone know a 2.4 patch for this?

Patches are:

    102922-03: SunOS 5.4: inetd fixes
    102923-03: SunOS 5.4_x86: inetd fixes

-01 of the above if fine too, -02 is not.

Version -03 was released in Sep '95, -01 some time before that.

> Also: what I havent seen mentioned yet, the denial of service
> attack is not just to bring down a box.. if one is employed on
> Host A, which is trusted by Host B, then this allows
> the network clear for the bad guy to impersonate Host A, (the
> real Host A being effectively muzzled), thus get into
> Host B.

The IP layer runs at kernel priority and does the 3-way handshake
regardless of user process stress, most of the time.  Connections
to the box will appear to be very slow, but that's because the daemons
will trake ages to start.

> If I remember correctly, this was one of Mitnicks tricks
> against Shimomuras collection of machines.

Actually, he filled the receive queue of a service with a lot of
embryonic connections so they came in "SYN_SENT" state.  That way
the target machine won't listen to further packets once the backlog
is overflown and won't send "RSTs" to bogus ACKs it receives.
Solaris 2.x will continue to send RSTs, even if the backlog is filled.
(And in 2.5+ the ISN is incremented with a random increment too)

Casper