<<< Date Index >>>     <<< Thread Index >>>

Re: 11 years of inetd default insecurity?



At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:

The  problem  is,  remote attacker can establish as much connections per
minute  as  bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10   minutes   to  help attack to succeed. Of cause, this is documented.
Interval is not configurable.

something like

Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated

will  appear  in  logs...  If  connection  is  closed by attacker before
service actually starts, IP address of attacker will never be logged.

IV. Workaround

Hi,
On FreeBSD's inetd there is the -C option in conjunction with the -R option

     -C rate
             Specify the default maximum number of times a service can be
             invoked from a single IP address in one minute; the default is
             unlimited.  May be overridden on a per-service basis with the
             "max-connections-per-ip-per-minute" parameter.

     -R rate
             Specify the maximum number of times a service can be invoked in
             one minute; the default is 256.  A rate of 0 allows an unlimited
             number of invocations.

You can run without either of these options, but then you risk a DoS from resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the RAM/Swap etc. Its problematic either way, but at least you can mitigate the effects somewhat if its a single host attacking.

---Mike