Bugtraq mailing list archives
Re: denial of service - inetd on solaris 2.4?
From: casper () holland Sun COM (Casper Dik)
Date: Fri, 24 May 1996 14:31:15 +0200
I discovered on our solaris 2.4 boxes, that if you telnet to the discard port, then quit telnet (using control-right-bracket and quit), you leave a single inetd running in an infinite read loop. Do this twice, and you get two inetds running... obviously you can quickly bog the machine down to a standstill.. This doesnt happen on solaris 2.5, so I guess it is some inetd bug thats been fixed? anyone know a 2.4 patch for this?
Patches are: 102922-03: SunOS 5.4: inetd fixes 102923-03: SunOS 5.4_x86: inetd fixes -01 of the above if fine too, -02 is not. Version -03 was released in Sep '95, -01 some time before that.
Also: what I havent seen mentioned yet, the denial of service attack is not just to bring down a box.. if one is employed on Host A, which is trusted by Host B, then this allows the network clear for the bad guy to impersonate Host A, (the real Host A being effectively muzzled), thus get into Host B.
The IP layer runs at kernel priority and does the 3-way handshake regardless of user process stress, most of the time. Connections to the box will appear to be very slow, but that's because the daemons will trake ages to start.
If I remember correctly, this was one of Mitnicks tricks against Shimomuras collection of machines.
Actually, he filled the receive queue of a service with a lot of embryonic connections so they came in "SYN_SENT" state. That way the target machine won't listen to further packets once the backlog is overflown and won't send "RSTs" to bogus ACKs it receives. Solaris 2.x will continue to send RSTs, even if the backlog is filled. (And in 2.5+ the ISN is incremented with a random increment too) Casper
Current thread:
- denial of service - inetd on solaris 2.4? Justin Beech (May 23)
- Re: denial of service - inetd on solaris 2.4? Casper Dik (May 24)
- <Possible follow-ups>
- Re: denial of service - inetd on solaris 2.4? Brad Powell (May 24)
- Re: denial of service - inetd on solaris 2.4? Jack Flory (May 24)
- Re: denial of service - inetd on solaris 2.4? Brett Lymn (May 26)
- netscape remote control - so what? Justin Beech (May 26)
- Re: netscape remote control - so what? martinh () mailhost emap co uk (May 28)
- Re: denial of service - inetd on solaris 2.4? Peter Skopp (May 27)