Bugtraq mailing list archives
Re: News DoS using sendsys
From: Don.Lewis () TSC TDK COM (Don Lewis)
Date: Thu, 27 Aug 1998 16:05:51 -0700
On Aug 27, 9:32am, David Shaw wrote: } Subject: Re: News DoS using sendsys } On Wed, Aug 26, 1998 at 03:52:58PM -0700, Russ Allbery wrote: } > There are several possible solutions at different levels of complexity. } > } > First, please make sure that your control.ctl file or the equivalent has a } > line like: } > } > sendsys:*:*:drop } } While you're at it, it might be worth adding: } } senduuname:*:*:drop } version:*:*:drop } } I suspect that once everyone configures their server to stop responding to } sendsys, the bombers will switch to senduuname and version. I have } already seen a hundred "version" requests come in. Neither version nor } senduuname are relevant to the overwhelming majority of INN installations } out there. Yup, they've already switched. There's still a lot of overhead even if you configure "drop". Here's something that I found in news.admin.technical that is relevant for INN users:
From: raoul () shell1 tiac net (Nico Garcia) Subject: Re: System bogs during sendsys bomb attacks Approved: scott () zorch SF-Bay ORG Sender: scott () zorch SF-Bay ORG (Scott Hazen Mueller) Organization: The Internet Access Company Message-ID: <6r8cum$dtf () news-central tiac net> References: <6r6ir7$c6g$1 () canoe xcski com> Date: Mon, 17 Aug 1998 05:38:28 GMT Lines: 19 In article <6r6ir7$c6g$1 () canoe xcski com>, Paul Tomblin <ptomblin () xcski com> wrote:I'm running stock INN 1.7.2, and every time I get a batch of HIPCRIME sendsys bombs, my load average breifly goes up through the roof. This is in spite of the fact that I have it set to drop sendsys in control.ctl. I seem to have a copy of /var/lib/newsbin/control/sendsys running for each message. Is there a tweak I can do somewhere to reduce the priority on these things. I thought they were run out of ctlrun, but that doesn't appear to be the case."echo exit >/var/lib/newsbin/control/sendsys" That won't prevent the processes but it will shorten the hell out of their execution time. -- Nico Kadel-Garcia, ne' Garcia raoul () tiac net
Current thread:
- SV: SV: Serious Security Hole in Hotmail (URL to sourcecode), (continued)
- SV: SV: Serious Security Hole in Hotmail (URL to sourcecode) Jonathan James (Aug 27)
- Re: News DoS using sendsys Julian Cowley (Aug 27)
- Re: News DoS using sendsys Russ Allbery (Aug 27)
- Seyon Security Vulnerability SGI Security Coordinator (Aug 27)
- Re: Seyon Security Vulnerability Alan Cox (Aug 27)
- SECURITY: new nfs-server packages available (fwd) Alan Cox (Aug 27)
- Re: SECURITY: new nfs-server packages available (fwd) Paul Boehm (Aug 27)
- Cisco response re PIX fragmentation issue Cisco Product Security Incident Response Team (Aug 27)
- NFS fix - TurboLinux 2.0 Scott Stone (Aug 27)
- StackGuard-protected Linux and a New StackGuard Compiler Crispin Cowan (Aug 27)
- Re: News DoS using sendsys Don Lewis (Aug 27)