Re: Multiple Antivirus Scanners DoS attack.
On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote:
> I have also checked the latest F-Prot for Windows - it scans the file for
> quite a long time, but finally does not crash and detects the virus
> signature.
Aren't we missing the point here? If I can construct a ~10K file that causes
an AV to hang for 20 mins+ - and I send 50 of them at your server - then
*even if they have no virus in them*, they will DoS you.
Isn't the solution that AVs need to have "resource limits" - where you as
the admin get to set:
* the max size that a file can be expanded to
* the max recursions you will do
* the max time you are willing to spend scanning a message (that would be
hard - becomes a bit of a loop when under load..)
* the max memory you are willing to let your AV grow to
and if any of those conditions are exceeded, then the AV must block-and-exit
(perhaps with a "DoS" descriptor). That way larger sites who are willing to
throw more hardware at this problem can have larger limits - basically you
can set those values to match your environment.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1