Bugtraq mailing list archives
Re: FTP denial of service attack
From: ahu () CASEMA NET (bert hubert)
Date: Tue, 7 Dec 1999 22:40:09 +0100
On Tue, Dec 07, 1999 at 11:29:56PM +1100, Darren Reed wrote:
Who has more free file descriptors & network ports, you or the ftp server ?
On a general note, and I am thankful that this is relatively unknown as yet, almost any TCP/IP based service is vulnerable to simple DoS tricks. It is very easy to create many ''TCP/IP Connections'' which do take resources at the server end, but very little at the client end. With the abundance of cracked boxes about, the malicious user may well be untraceable. All the malicious user needs to do is send lots of hand crafted SYNs and ACKs without involving the local OS in any way. The remote server tries to handle thousands of very real connections which all need to timeout before the connection is closed and the resources are freed. A PalmPilot could disable an entire server farm this way. Current operating systems aren't very well equiped to handle this. Programs are forced to accept() a connection and have no way to prevent the kernel from ACKing the connection and allocating resources. The free unixes these days mostly come with packet filtering available by default, these might be best off. One could imagine a 'libfilter' which would easily allow daemons with the right permissions/capabilities to instruct the kernel to not accept connections anymore from a certain host. Periodically, the daemon should clear old filters. It should also do this when instructed and on startup. I think it has merit to investigate this idea further and implement it portably. Most modern unixes support some form of packet filtering, libfilter could be a means to provide them to daemons. There are ways to protect servers against such an attack with dedicated hardware but such measures are not widely implemented today and may also 'protect' indiscriminately against normal traffic in case of false positives. A daemon can be more specific in its measures. Regards, bert hubert. -- +---------------+ | http://www.rent-a-nerd.nl | nerd for hire | | +---------------+ | - U N I X - | | Inspice et cautus eris - D11T'95
Current thread:
- Re: FTP denial of service attack, (continued)
- Re: FTP denial of service attack Renaud Deraison (Dec 07)
- FTP DoS - PORT and PASV effected. Darren Reed (Dec 07)
- Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
- Re: FTP denial of service attack Renaud Deraison (Dec 07)
- Re: FTP denial of service attack antirez () INVECE ORG (Dec 07)
- Re: FTP denial of service attack Dustin Miller (Dec 07)
- Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
- Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
- [Debian] New version of htdig released Aleph One (Dec 10)
- Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
- Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
- Re: FTP denial of service attack bert hubert (Dec 07)
- Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)