From owner-freebsd-security Tue Aug 26 18:59:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA25170 for security-outgoing; Tue, 26 Aug 1997 18:59:15 -0700 (PDT) Received: from sendero-ppp.i-connect.net (sendero-ppp.i-Connect.Net [206.190.143.100]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id SAA25143 for ; Tue, 26 Aug 1997 18:59:04 -0700 (PDT) Received: (qmail 7031 invoked by uid 1000); 27 Aug 1997 01:59:21 -0000 Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Resent-Date: Tue, 26 Aug 1997 14:51:54 -0400 Resent-Message-Id: <199708261851.OAA04649@tobit.hwaci.vnet.net> Resent-From: "D. Richard Hipp" Resent-To: support@caldera.com Date: Tue, 26 Aug 1997 18:59:21 -0700 (PDT) Organization: Atlas Telecom From: Simon Shapiro To: freebsd-security@freebsd.org Subject: FW: Denial-of-service attack against INETD. Redhat 4.X and othe Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Have you guys seen, or care about that? From: "D. Richard Hipp" To: support@caldera.com, security@debian.org, dholland@hcs.harvard.edu, cert@cert.org, bugs@redhat.com Subject: Denial-of-service attack against INETD. Redhat 4.X and others... Cc: bwarren@cti-ltd.com -----BEGIN PGP SIGNED MESSAGE----- Gentle People, I recently discovered a problem with the "inetd" running on RedHat Linux version 4.x that makes all services launched from inetd vulnerable to a denial-of-service attack. I obtained a copy of the inetd source code, made changes to fix the problem, and am hereby releasing those changes back to the public. Note that I have only observed this problem in RedHat 4.X because that is all that I run at my site. However the source code that I changed is generic BSD code from the 1980s. I suspect that other Linux distributions, and other Unix systems, are running the same version of inetd and suffer from the same problem. The following TCL script illustrates the denial-of-service attack that my changes are intended to address: for {set i 0} {$i<100} {incr i} { set s [socket 127.0.0.1 23] close $s } Executing the above script will cause "telnet" service on the local host to be shutdown for 10 minutes. It is a simple matter to attack other services or hosts by changing the TCP port number or IP address. This attack originates from a "misfeature" of inetd. (I call the problem a "misfeature" rather than a "bug" since someone went to a lot of trouble to put it in.) If more than a given number (default 40) of requests for a service arrive within a 60 second interval, that service is shutdown. The listening socket is closed. Attempts to use that service will result in a "Connection refused" error message. The service remains off for 10 minutes. A system administrator can increase the turn-off threshold to a larger value (by adjusting the "max" parameter in /etc/inetd.conf), but the mechanism cannot be completely disabled. I have implemented changes to the inetd program that address this problem, as follows: The program still limits the number of services that will be launched within a 60 second window, but it does so by refusing to "accept()" new connections too rapidly. The listening socket is never closed, and users never get a "Connection refused" error. They just see a slower response. For the default value of 40 services/second, inetd will now wait 1500 milliseconds after doing an accept() before doing another accept() on that same service. All services are handled independently, so an accept() for "ftp" will not impede a subsequence accept() calls on "telnet", for example. Furthermore, the throttling mechanism can be completely disabled by setting the "max" parameter to "0" in /etc/inetd.conf. In the course of making this change, I discovered and fixed another small problem with inetd. It used to be that inetd would sleep (ignoring all connection attempts) for one second after receiving any signal. This effectivelly limited the number of services that inetd can launch to less than 1 per second, since inetd gets a SIGCHLD signal for every service launched. One other change: it used to be that if bind() fields when setting up a socket, inetd would wait 10 minutes before trying again. I lowered this value to 10 seconds. The source code that I modified was obtained from the NetKit-B-0.08 package. All of my changes are restricted to the inetd subdirectory of that package. A copy of my revisions can be obtained from http://users.vnet.net/drh/inetd.fix.tar.gz The md5sum for this archive is e2f1ab88af8aaa5524de683c149b39f6. I have made no attempt to repackage these changes back into NetKit-B-0.08 or to reassemble them back into the RPM from which I obtained them. My hope is that these steps will be undertaken by someone who knows better than I how such things are done. D. Richard Hipp Charlotte Aug 16, 1997. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNAMlLjM03TfL2vVNAQEaggP/XrAkNF7d/h0IGRomRfrl8/68qXG/hWjY DjgDH5npl8SSvCInf2wxk17JErp7/+bLTuNl5c8fLdJ43fRHYlMG/5CGxCzUzmQg tOa3qEQ2i/pbzosegUX/XvQNkuhZ1GkyFZX1IOl8AgisqnaMTCzweFarCZdIB+tB Rd9eKurA+Ro= =Kg9I -----END PGP SIGNATURE----- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to debian-private-request@lists.debian.org . Trouble? e-mail to templin@bucknell.edu . --------------End of forwarded message------------------------- --- Sincerely Yours, (Sent on 26-Aug-97, 18:40:48 by XF-Mail) Simon Shapiro i-Connect.Net, a Division of iConnect Corp. Director of Technology 14355 SW Allen Blvd., Suite 140 Beaverton OR 97008 Shimon@i-Connect.Net Voice: 503.677.2900, Emergency: 503.799-2313