From owner-freebsd-security Mon Dec 21 19:36:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13543 for freebsd-security-outgoing; Mon, 21 Dec 1998 19:36:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA13513 for ; Mon, 21 Dec 1998 19:36:26 -0800 (PST) (envelope-from pajarola@cybertime.ch) Received: from gw1zyx3.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03) id AA12498; Tue, 22 Dec 1998 04:36:16 +0100 Message-Id: <3.0.32.19981222043608.00892c40@www.dlc.cybertime.ch> X-Sender: pajarola@www.dlc.cybertime.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 22 Dec 1998 04:36:25 +0100 To: security@FreeBSD.ORG From: Rico Pajarola Subject: Re: nmap crashes inetd/portmap on 2.2.6 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What I meant was much more subtle. There are no traces anywhere, no log entries (after all, that's the purpose of a stealth scan). But inetd hangs, ie, I can connect to a port served by inetd (eg 110), but nothing happens after I connect, no banner or anything, and no error messages anywhere. This happens with all tcp services running under inetd. When I restart inetd, it processes inetd.conf only up to the first rpc service, so I believe portmap gets somehow screwed as well. Everything at and below that line in inetd.conf is ignored. Other systems affected are AIX 4.1.5, Solaris 2.6, and SCO UW 2.1 with similar symptoms. Cisco Routers (IOS 11.1) show extreme performance drops when scanned, but they recover as soon as scanning stops. Linux (tested on RedHat 5.1) and FreeBSD-current are immune. Rico Pajarola >If I strobe my FreeBSD 3.0-current system, it gets to the point where >it looks like a DoS attack: > >Dec 20 06:51:43 greenwood3 /kernel: icmp-response bandwidth limit 585/100 pps >Dec 20 06:51:44 greenwood3 identd[32580]: warning: can't get client address: >Socket is not connected >Dec 20 06:51:44 greenwood3 /kernel: icmp-response bandwidth limit 295/100 pps >Dec 20 06:51:45 greenwood3 identd[32584]: getbuf: bad address (000186c0 not in >f0100000-0xFFC00000) - ofile >Dec 20 06:51:45 greenwood3 identd[32584]: k_getuid retries: 1 >Dec 20 06:51:45 greenwood3 /kernel: icmp-response bandwidth limit 219/100 pps >Dec 20 06:51:46 greenwood3 /kernel: icmp-response bandwidth limit 322/100 pps >Dec 20 06:51:47 greenwood3 syslogd: /dev/console: Too many open files in >system: Too many open files in system >Dec 20 06:51:47 greenwood3 syslogd: /var/run/utmp: Too many open files in >system >Dec 20 06:51:47 greenwood3 syslogd: /var/run/utmp: Too many open files in >system >Dec 20 06:51:47 greenwood3 /kernel: file: table is full > >Then the rest of the log line are the file table being full, utmp problems, >and bouncing off Matt's icmp-response limits.. :) Of course all the >packets were going so fast because it was going through lo0, but it >could be just as well flooded from an external interface. > >Killed the compile of wine I was working on also.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message