Bugtraq mailing list archives

Re: FTP denial of service attack

From: ahu () CASEMA NET (bert hubert)
Date: Tue, 7 Dec 1999 22:40:09 +0100


On Tue, Dec 07, 1999 at 11:29:56PM +1100, Darren Reed wrote:

Who has more free file descriptors & network ports, you or the ftp server ?


On a general note, and I am thankful that this is relatively unknown as yet,
almost any TCP/IP based service is vulnerable to simple DoS tricks. It is
very easy to create many ''TCP/IP Connections'' which do take resources at
the server end, but very little at the client end.

With the abundance of cracked boxes about, the malicious user may well be
untraceable.

All the malicious user needs to do is send lots of hand crafted SYNs and ACKs
without involving the local OS in any way. The remote server tries to handle
thousands of very real connections which all need to timeout before the
connection is closed and the resources are freed. A PalmPilot could disable
an entire server farm this way.

Current operating systems aren't very well equiped to handle this. Programs
are forced to accept() a connection and have no way to prevent the kernel
from ACKing the connection and allocating resources.

The free unixes these days mostly come with packet filtering available by
default, these might be best off. One could imagine a 'libfilter' which
would easily allow daemons with the right permissions/capabilities to
instruct the kernel to not accept connections anymore from a certain host.

Periodically, the daemon should clear old filters. It should also do this
when instructed and on startup. I think it has merit to investigate this
idea further and implement it portably. Most modern unixes support some form
of packet filtering, libfilter could be a means to provide them to daemons.

There are ways to protect servers against such an attack with dedicated
hardware but such measures are not widely implemented today and may also
'protect' indiscriminately against normal traffic in case of false
positives. A daemon can be more specific in its measures.

Regards,

bert hubert.

--
    +---------------+  |              http://www.rent-a-nerd.nl
    | nerd for hire |  |
    +---------------+  |                     - U N I X -
            |          |          Inspice et cautus eris - D11T'95

Current thread:

Re: FTP denial of service attack, (continued)
- - Re: FTP denial of service attack Renaud Deraison (Dec 07)
    - FTP DoS - PORT and PASV effected. Darren Reed (Dec 07)
    - Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
  - Re: FTP denial of service attack antirez () INVECE ORG (Dec 07)
  - Re: FTP denial of service attack Dustin Miller (Dec 07)
    - Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
    - Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
    - [Debian] New version of htdig released Aleph One (Dec 10)
    - Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
    - Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
  - Re: FTP denial of service attack bert hubert (Dec 07)
    - Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
  - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
    - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Theo de Raadt (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
  - RSAREF2 buffer overflow patch Gerardo Richarte (Dec 10)
- Re: new IE5 remote exploit Shane Hird (Dec 07)

(Thread continues...)