Re: Multiple Antivirus Scanners DoS attack.

[Jason Haar <Jason.Haar () trimble co nz>]

On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote:
> I have also checked the latest F-Prot for Windows - it scans the file for
> quite a long time, but finally does not crash and detects the virus
> signature.

Aren't we missing the point here? If I can construct a ~10K file that causes
an AV to hang for 20 mins+ - and I send 50 of them at your server - then
*even if they have no virus in them*, they will DoS you.

Isn't the solution that AVs need to have "resource limits" - where you as
the admin get to set:

* the max size that a file can be expanded to
* the max recursions you will do
* the max time you are willing to spend scanning a message (that would be
  hard - becomes a bit of a loop when under load..)
* the max memory you are willing to let your AV grow to

and if any of those conditions are exceeded, then the AV must block-and-exit
(perhaps with a "DoS" descriptor). That way larger sites who are willing to
throw more hardware at this problem can have larger limits - basically you
can set those values to match your environment.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1