From owner-freebsd-security Mon Feb 26 16:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (marius.org [216.88.115.170]) by hub.freebsd.org (Postfix) with ESMTP id 7FD9A37B401 for ; Mon, 26 Feb 2001 16:36:22 -0800 (PST) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.11.0/8.11.0) id f1R0aLe91369 for security@FreeBSD.ORG; Mon, 26 Feb 2001 18:36:21 -0600 (CST) Date: Mon, 26 Feb 2001 18:36:21 -0600 From: Marius Strom To: security@FreeBSD.ORG Subject: Re: bugtraq inetd DoS exploit *PFFT* Message-ID: <20010226183621.O12721@marius.org> Mail-Followup-To: security@FreeBSD.ORG References: <20010227105017.A74709@albury.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010227105017.A74709@albury.net>; from nicks@albury.net on Tue, Feb 27, 2001 at 10:50:17AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not a "vulnerability", per se. inetd(8) will suspend a service for 10 minutes if a certain amount of them are started within a certain time, hence your log message. Not to deny that it's a limited DoS condition, but it was programmed that way. To update this on a per-service basis (say, your pop3 daemon takes lots of hits under normal traffic) do the following: pop3 stream tcp nowait.384 root /usr/local/libexec/ipop3d ipop3d Where 384 is the number to allow per one minute period. Verbatim from the ERROR MESSAGES section of the inetd(8) man page: The inetd server logs error messages using syslog(3). Important error messages and their explanations are: service/protocol server failing (looping), service terminated. The number of requests for the specified service in the past minute ex- ceeded the limit. The limit exists to prevent a broken program or a ma- licious user from swamping the system. This message may occur for sever- al reasons: 1. There are many hosts requesting the service within a short time period. 2. A broken client program is requesting the service too fre- quently. 3. A malicious user is running a program to invoke the service in a denial-of-service attack. 4. The invoked service program has an error that causes clients to retry quickly. Use the -R rate option, as described above, to change the rate limit. Once the limit is reached, the service will be reenabled automatically in 10 minutes. On Tue, Feb 27, 2001 at 10:50:17AM +1100, Nick Slager wrote: > > The inetd shipped with FreeBSD appears vulnerable to the inetd DoS > exploit posted on bugtraq. > > inetd logs the following: > > Feb 27 10:23:12 host inetd[5337]: ftp/tcp server failing (looping), service terminated > > System: > > % uname -v > FreeBSD 4.2-STABLE #1: Fri Feb 9 11:27:05 EST 2001 > nicks@lorien.slartibartfast.net:/usr/src/sys/compile/LORIEN4 > > As a workaround, start inetd with the -C flag. > > > Nick > > -- > Nick Slager | Quidquid latine dictum > | sit, altum viditur. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message