At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:
The problem is, remote attacker can establish as much connections per minute as bandwidth allows... Now, guess how inetd reacts if more than 256 connections received in one minute? It will disable service for next 10 minutes to help attack to succeed. Of cause, this is documented. Interval is not configurable. something likeJul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminatedwill appear in logs... If connection is closed by attacker before service actually starts, IP address of attacker will never be logged. IV. Workaround
Hi, On FreeBSD's inetd there is the -C option in conjunction with the -R option -C rate Specify the default maximum number of times a service can be invoked from a single IP address in one minute; the default is unlimited. May be overridden on a per-service basis with the "max-connections-per-ip-per-minute" parameter. -R rate Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations.You can run without either of these options, but then you risk a DoS from resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the RAM/Swap etc. Its problematic either way, but at least you can mitigate the effects somewhat if its a single host attacking.
---Mike