Date: Fri, 23 Jul 1999 15:06:02 +0200 From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, Brian Feldman <green@FreeBSD.org>, hackers@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c inetd.h Message-ID: <19990723150602.B10047@internal> In-Reply-To: <41604.932732959@axl.noc.iafrica.com>; from Sheldon Hearn on Fri, Jul 23, 1999 at 02:29:19PM %2B0200 References: <19990723112812.A3847@internal> <41604.932732959@axl.noc.iafrica.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23-Jul-1999 at 14:29:19 +0200, Sheldon Hearn wrote: > > [Hijacked from cvs-committers and cvs-all] > > On Fri, 23 Jul 1999 11:28:12 +0200, Andre Albsmeier wrote: > > > I observed some kind of denial of service on -STABLE: I was > > playing with the new nmap and did a 'nmap -sU printfix'. > > inetd was running as "inetd -l" and started sucking all the > > CPU time even the nmap had been terminated long ago. > > What does "sucking all the CPU time" mean? Does it mean that other > programs were suffering, or does it mean that it was the only > significant user of CPU and so showed up at close to 100% CPU usage? > > I suspect that the latter is true. It's only nearly 50% because syslogd gets most of the other half :-) But when inetd is run without -l it get 100%. > > /var/log/messages file showed zillions of the following lines > > being added continously: > > Well, you did ask for them (inetd -l). :-) > > > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: time from [...] > > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: daytime from [...] > > Usually syslog will give you "last message repeated X times". > Unfortunately, the alternation of the messages makes this impossible. > > David Malone had a few ideas on "clever" handling of UDP. While what > he suggests might help reduce the number of messages you receive under > legitimate use, it won't help against DoS, since the sender of packets > can simply randomize the origin addresses. > > > Maybe you got an idea... > > I know exactly why you see what you see when you do what you do. All I > can say is "don't do that", because I can't think of a why to cater for > what you're doing in a sensible fashion. I think, I didn't describe the problem clearly so I will try again :-) 1. I run 'nmap -sU printfix' on the 192.168.17.100 machine. 2. After nmap has finished it shows me the open ports. 3. We wait , e.g. 1 minute 4. inetd, which runs with -l, continues logging to syslogd and never stops. Here is a top snapshot taken one minute later: last pid: 4040; load averages: 0.96, 0.56, 0.29 up 0+06:19:27 14:56:00 36 processes: 2 running, 34 sleeping CPU states: 54.3% user, 0.0% nice, 41.9% system, 3.9% interrupt, 0.0% idle Mem: 8500K Active, 37M Inact, 12M Wired, 3428K Cache, 7592K Buf, 532K Free Swap: 49M Total, 49M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 3748 root 58 0 956K 704K RUN 0:20 44.97% 44.97% inetd 122 root 2 0 848K 576K select 3:10 36.47% 36.47% syslogd 127 root 2 0 1588K 1228K select 0:05 0.00% 0.00% named 200 root 2 0 876K 524K select 0:02 0.00% 0.00% lpd 132 root 2 -52 1236K 732K select 0:02 0.00% 0.00% xntpd In case we start inetd without -l, it doesn't log to syslogd anymore and therefore consumes all the CPU for itself: last pid: 4397; load averages: 1.59, 1.10, 0.55 up 0+06:22:14 14:58:47 111 processes: 2 running, 109 sleeping CPU states: 61.2% user, 0.0% nice, 38.0% system, 0.8% interrupt, 0.0% idle Mem: 10M Active, 30M Inact, 14M Wired, 3776K Cache, 7592K Buf, 3688K Free Swap: 49M Total, 49M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 4043 root 104 0 956K 740K RUN 1:33 97.66% 97.61% inetd 122 root 2 0 848K 576K select 3:16 0.00% 0.00% syslogd 127 root 2 0 1588K 1228K select 0:05 0.00% 0.00% named Remember that nmap has finished already a long time ago. I think, inetd is stuck in some loop which can be terminated only by killing and restarting it. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990723150602.B10047>