netbsd-users: Re: Fwd: inetd DoS exploit

Subject: Re: Fwd: inetd DoS exploit
To: Emre Yildirim <emre@srengineering.com>
From: Kevin Sindhu <satan@ucanmail.com>
List: netbsd-users
Date: 02/25/2001 21:05:52
At 10:46 PM 2/26/2001 -0600, Emre Yildirim wrote:
>On Sunday 25 February 2001 22:33 US Central Time, Kevin Sindhu wrote:
>
> > This is pretty interesting though...even though inetd has been
> > coded like this, is there any way for us to prevent this?
>
>Maybe a shellscript that will block the IP when someone tries to
>connect x times within y seconds? (using ipf of course).

Hmm...I never thought of ipf....hmm...yes, we could do this...but what if 
happens if you are in an environment where implementation of ipf is 
impossible(I am thinking of one machine serving our Asia offices..)

I am guessing that within a couple of weeks/days(?), this is gonna be the 
next most popular DoS on the net...wheee...

Possible work-arounds ( At least in my environment):

1) Use ipf rules to block (I haven't looked at how we could do this...I'd 
appreciate any examples).

I am thinking a shell script run from cron which runs every 5-10 seconds, 
scanning ipflog looking from multiple connections from host x and if 
connections > 50 in time X, deny that IP(using awk/perl)...but that would 
cause more pain, as we would have to log incoming connections for anything 
run out of inetd...

Any better ideas?

2) Take out ftpd from inetd and run it as a daemon.

For now, I have implemented this, as I cannot afford to love ftpd for some 
of our boxes...

3) Implement xinetd

Its has some very nice features...

>Like Bill Sommerfeld said, just wait a few minutes and inetd
>recovers. (at least ir doesnt completely crash)

Yes, but still you lose connection for 10 minutes...that in a production 
network can likely get you into hot water...(me anyway)

>HA HAh ...
>I tried this on my Linux, Solaris and IRIX boxes, it produced the
>same result.  My OpenBSD-current box's ftp and telnet died as well.
>But hey...like you said, since it's not enabled by default it's not a
>bug :-)

Lol...I can never that understand as well..I've always wondered why "not 
enabled by default" is not a bug? In most case, many people will likely not 
suffer the consequences, but what about those who *do* need to enable the 
"not enable by default" options..*sigh* The blind leading the blind...

Regards

-Kevin Sindhu


-------------------------------------------------------------------------------------------------
-- Man is the only animal that can remain on friendly terms with 
the
-- victims he intends to eat until he eats them.
                                 -- Samuel Butler (1835-1902)