Date: Mon, 26 Feb 2001 18:36:21 -0600 From: Marius Strom <marius@marius.org> To: security@FreeBSD.ORG Subject: Re: bugtraq inetd DoS exploit *PFFT* Message-ID: <20010226183621.O12721@marius.org> In-Reply-To: <20010227105017.A74709@albury.net>; from nicks@albury.net on Tue, Feb 27, 2001 at 10:50:17AM %2B1100 References: <20010227105017.A74709@albury.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is not a "vulnerability", per se. inetd(8) will suspend a service
for 10 minutes if a certain amount of them are started within a certain
time, hence your log message. Not to deny that it's a limited DoS
condition, but it was programmed that way.
To update this on a per-service basis (say, your pop3 daemon takes lots
of hits under normal traffic) do the following:
pop3 stream tcp nowait.384 root /usr/local/libexec/ipop3d ipop3d
Where 384 is the number to allow per one minute period.
Verbatim from the ERROR MESSAGES section of the inetd(8) man page:
The inetd server logs error messages using syslog(3). Important error
messages and their explanations are:
service/protocol server failing (looping), service terminated.
The number of requests for the specified service in the past minute ex-
ceeded the limit. The limit exists to prevent a broken program or a ma-
licious user from swamping the system. This message may occur for sever-
al reasons:
1. There are many hosts requesting the service within a short
time period.
2. A broken client program is requesting the service too fre-
quently.
3. A malicious user is running a program to invoke the service in
a denial-of-service attack.
4. The invoked service program has an error that causes clients
to retry quickly.
Use the -R rate option, as described above, to change the rate limit.
Once the limit is reached, the service will be reenabled automatically in
10 minutes.
On Tue, Feb 27, 2001 at 10:50:17AM +1100, Nick Slager wrote:
>
> The inetd shipped with FreeBSD appears vulnerable to the inetd DoS
> exploit posted on bugtraq.
>
> inetd logs the following:
>
> Feb 27 10:23:12 host inetd[5337]: ftp/tcp server failing (looping), service terminated
>
> System:
>
> % uname -v
> FreeBSD 4.2-STABLE #1: Fri Feb 9 11:27:05 EST 2001
> nicks@lorien.slartibartfast.net:/usr/src/sys/compile/LORIEN4
>
> As a workaround, start inetd with the -C flag.
>
>
> Nick
>
> --
> Nick Slager | Quidquid latine dictum
> | sit, altum viditur.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
Marius Strom <marius@marius.org>
Professional Geek/Unix System Administrator
URL: http://www.marius.org/
http://www.marius.org/marius.pgp 0x55DE53E4
"Never underestimate the bandwidth of a mini-van full of DLT
tapes traveling down the highway at 65 miles per hour..."
-Andrew Tanenbaum, "Computer Networks"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010226183621.O12721>