Bugtraq mailing list archives

Re: News DoS using sendsys

From: Don.Lewis () TSC TDK COM (Don Lewis)
Date: Thu, 27 Aug 1998 16:05:51 -0700


On Aug 27,  9:32am, David Shaw wrote:
} Subject: Re: News DoS using sendsys
} On Wed, Aug 26, 1998 at 03:52:58PM -0700, Russ Allbery wrote:
} > There are several possible solutions at different levels of complexity.
} >
} > First, please make sure that your control.ctl file or the equivalent has a
} > line like:
} >
} >         sendsys:*:*:drop
}
} While you're at it, it might be worth adding:
}
}         senduuname:*:*:drop
}         version:*:*:drop
}
} I suspect that once everyone configures their server to stop responding to
} sendsys, the bombers will switch to senduuname and version.  I have
} already seen a hundred "version" requests come in.  Neither version nor
} senduuname are relevant to the overwhelming majority of INN installations
} out there.

Yup, they've already switched.  There's still a lot of overhead even if
you configure "drop".  Here's something that I found in news.admin.technical
that is relevant for INN users:

From: raoul () shell1 tiac net (Nico Garcia)
Subject: Re: System bogs during sendsys bomb attacks
Approved: scott () zorch SF-Bay ORG
Sender: scott () zorch SF-Bay ORG (Scott Hazen Mueller)
Organization: The Internet Access Company
Message-ID: <6r8cum$dtf () news-central tiac net>
References: <6r6ir7$c6g$1 () canoe xcski com>
Date: Mon, 17 Aug 1998 05:38:28 GMT
Lines: 19

In article <6r6ir7$c6g$1 () canoe xcski com>,
Paul Tomblin <ptomblin () xcski com> wrote:

I'm running stock INN 1.7.2, and every time I get a batch of HIPCRIME sendsys
bombs, my load average breifly goes up through the roof.  This is in spite of
the fact that I have it set to drop sendsys in control.ctl.  I seem to have a
copy of /var/lib/newsbin/control/sendsys running for each message.  Is there a
tweak I can do somewhere to reduce the priority on these things.  I thought
they were run out of ctlrun, but that doesn't appear to be the case.


"echo exit >/var/lib/newsbin/control/sendsys"

That won't prevent the processes but it will shorten the hell out
of their execution time.

--
                                Nico Kadel-Garcia, ne' Garcia
                                raoul () tiac net

Current thread:

SV: SV: Serious Security Hole in Hotmail (URL to sourcecode), (continued)
- - SV: SV: Serious Security Hole in Hotmail (URL to sourcecode) Jonathan James (Aug 27)
  - Re: News DoS using sendsys Julian Cowley (Aug 27)
  - Re: News DoS using sendsys Russ Allbery (Aug 27)
  - Seyon Security Vulnerability SGI Security Coordinator (Aug 27)
    - Re: Seyon Security Vulnerability Alan Cox (Aug 27)
    - SECURITY: new nfs-server packages available (fwd) Alan Cox (Aug 27)
    - Re: SECURITY: new nfs-server packages available (fwd) Paul Boehm (Aug 27)
    - Cisco response re PIX fragmentation issue Cisco Product Security Incident Response Team (Aug 27)
    - NFS fix - TurboLinux 2.0 Scott Stone (Aug 27)
    - StackGuard-protected Linux and a New StackGuard Compiler Crispin Cowan (Aug 27)
- Re: News DoS using sendsys Don Lewis (Aug 27)