At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:
The problem is, remote attacker can establish as much connections per minute as bandwidth allows... Now, guess how inetd reacts if more than 256 connections received in one minute? It will disable service for next 10 minutes to help attack to succeed. Of cause, this is documented. Interval is not configurable. something likeJul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminatedwill appear in logs... If connection is closed by attacker before service actually starts, IP address of attacker will never be logged. IV. Workaround
Hi,
On FreeBSD's inetd there is the -C option in conjunction with the -R option
-C rate
Specify the default maximum number of times a service can be
invoked from a single IP address in one minute; the default is
unlimited. May be overridden on a per-service basis with the
"max-connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
You can run without either of these options, but then you risk a DoS from
resource starvation. e.g. invoke 1000 copies of ftpd and eat up all the
RAM/Swap etc. Its problematic either way, but at least you can mitigate
the effects somewhat if its a single host attacking.
---Mike