tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: inetd and libwrap

On Tue, 8 Jul 2008, Uwe Klaus wrote:

Last week the pop3 service of our mail server running NetBSD 4.0
was hit by a password guessing attack. The connection rate was so
high that the service was disabled immediately.

Jul 4 18:19:28 mail inetd[14963]: pop3/tcp max spawn rate (200 in 60 seconds) exceeded; service not started

Since inetd was running with libwrap connection logging (-l) I
added the attackers ip address to /etc/hosts.deny and restarted
the inetd daemon. But it didn't help. I saw in /var/log/authlog
that connections were refused.

Jul 4 18:29:25 mail inetd[8924]: refused connection from, service pop3 (tcp)

But after some seconds the pop3 service was down again.

Jul 4 18:29:28 mail inetd[9003]: pop3/tcp max spawn rate (200 in 60 seconds) exceeded; service not started

It seems the that the connections refused by libwrap were also
counted in the sense of maximum number of server instances that
may be spawned from inetd within an interval of 60 seconds.

If so libwrap is not usefull to prevent dos attacks.

Correct. You need to filter those ips at the border router, or have your upstream filter them before they even hit your lines.

The spawn limit is to prevent the whole machine from going down...

Joe Laffey                |       Visual Effects for Film and Video
LAFFEY Computer Imaging   |     -------------------------------------
St. Louis, MO             |       Show Reel
USA                       |     -------------------------------------
.                         |        -*- Digital Fusion Plugins -*-

Home | Main Index | Thread Index | Old Index