From owner-cvs-all  Fri Jul 23  5:29:35 1999
Delivered-To: cvs-all@freebsd.org
Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175])
	by hub.freebsd.org (Postfix) with ESMTP
	id 795CE14F8C; Fri, 23 Jul 1999 05:29:02 -0700 (PDT)
	(envelope-from sheldonh@axl.noc.iafrica.com)
Received: from sheldonh (helo=axl.noc.iafrica.com)
	by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1)
	id 117eSJ-000ApE-00; Fri, 23 Jul 1999 14:29:39 +0200
From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Cc: Brian Feldman <green@FreeBSD.org>, hackers@freebsd.org
Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c inetd.h 
In-reply-to: Your message of "Fri, 23 Jul 1999 11:28:12 +0200."
             <19990723112812.A3847@internal> 
Date: Fri, 23 Jul 1999 14:29:19 +0200
Message-ID: <41604.932732959@axl.noc.iafrica.com>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk


[Hijacked from cvs-committers and cvs-all]

On Fri, 23 Jul 1999 11:28:12 +0200, Andre Albsmeier wrote:

> I observed some kind of denial of service on -STABLE: I was
> playing with the new nmap and did a 'nmap -sU printfix'.
> inetd was running as "inetd -l" and started sucking all the
> CPU time even the nmap had been terminated long ago.

What does "sucking all the CPU time" mean? Does it mean that other
programs were suffering, or does it mean that it was the only
significant user of CPU and so showed up at close to 100% CPU usage?

I suspect that the latter is true.

> /var/log/messages file showed zillions of the following lines
> being added continously:

Well, you did ask for them (inetd -l). :-)

> Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: time from [...]
> Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: daytime from [...]

Usually syslog will give you "last message repeated X times".
Unfortunately, the alternation of the messages makes this impossible.

David Malone had a few ideas on "clever" handling of UDP. While what
he suggests might help reduce the number of messages you receive under
legitimate use, it won't help against DoS, since the sender of packets
can simply randomize the origin addresses.

> Maybe you got an idea...

I know exactly why you see what you see when you do what you do. All I
can say is "don't do that", because I can't think of a why to cater for
what you're doing in a sensible fashion.

Ciao,
Sheldon.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message