Bugtraq mailing list archives

Re: inetd DoS exploit

From: "Charles M. Hannum" <root () IHACK NET>
Date: Tue, 27 Feb 2001 12:18:14 -0800

On Mon, Feb 26, 2001 at 04:39:58PM -0500, Jose Nazario wrote:

this can be stemmed in a number of ways:

1] using inetd, rate limit the connections. change a line like

telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd

to

telnet  stream  tcp     nowait.1  root    /usr/libexec/telnetd    telnetd

this will maximize the number of connections per minute on that service:

(from an inetd manpage on OpenBSD 2.8)


Actually, that was implemented in NetBSD.  But regardless, it's not
sufficient.  All that does is adjust the threshold at which inetd
decides the server is `looping' and disables it.  Setting it to 1, for
example, just makes the problem *much* worse.  Setting it to, e.g.,
1000000 will effectively disable the hack, and is a reasonable
workaround if your machine can deal.

The real answer is to implement proper rate-limiting instead.  A bonus
would be to implement it in a library (say, libwrap) that standalone
and `wait' services can also use.

Current thread:

inetd DoS exploit Serega[linux] (Feb 26)
- Re: inetd DoS exploit Jose Nazario (Feb 27)
  - Re: inetd DoS exploit David Malone (Feb 27)
  - Re: inetd DoS exploit Charles M. Hannum (Feb 27)
- Re: inetd DoS exploit Peter Werner (Feb 27)
- Re: inetd DoS exploit Peter van Dijk (Feb 27)
  - ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS bert hubert (Feb 28)