<<< Date Index >>>     <<< Thread Index >>>

Re: 11 years of inetd default insecurity?



On Sun, 2003-09-07 at 18:46, Thamer Al-Harbash wrote:
> On Sat, 6 Sep 2003, 3APA3A wrote:
> 
> > Dear bugtraq@xxxxxxxxxxxxxxxxx,
> >
> > Well,  we all blame Microsoft in insecure default configuration... Isn't
> > it time to clean outdated code in Unix?
> 
> This has been a known problem for quite a while. In fact
> D. J. Bernstein already solved it with tcpserver:
> 
> http://cr.yp.to/ucspi-tcp.html
> 
> If you look at the bottom he points out pretty much what you
> pointed out.

So DJB's program basically has a large listen queue, and goes into
queue-only mode after 40 concurrent connections?

If that's the case, then there's still a DOS - just fill the listen
queue with so much stuff that connections aren't serviced for a long
time.

-- 
Dan Stromberg DCS/NACS/UCI <strombrg@xxxxxxxxxxxxxxx>

Attachment: signature.asc
Description: This is a digitally signed message part