From owner-freebsd-security Wed Aug 27 06:29:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA02936 for security-outgoing; Wed, 27 Aug 1997 06:29:43 -0700 (PDT) Received: from burgundy.eecs.harvard.edu (dholland@burgundy.eecs.harvard.edu [140.247.60.165]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA02929 for ; Wed, 27 Aug 1997 06:29:40 -0700 (PDT) Received: (from dholland@localhost) by burgundy.eecs.harvard.edu (8.8.5/8.8.5) id JAA00911; Wed, 27 Aug 1997 09:29:13 -0400 (EDT) From: David Holland Message-Id: <199708271329.JAA00911@burgundy.eecs.harvard.edu> Subject: Re: FW: Denial-of-service attack against INETD. Redhat 4.X and othe To: newton@communica.com.au (Mark Newton) Date: Wed, 27 Aug 1997 09:29:13 -0400 (EDT) Cc: Shimon@i-Connect.Net, freebsd-security@FreeBSD.ORG In-Reply-To: <9708270326.AA12076@communica.com.au> from "Mark Newton" at Aug 27, 97 12:56:26 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > What kind of weenie posts a long rambling message to CERT about a denial > of service issue that's documented for all to see in the manpage anyway? Don't ask me... > Eh? inetd sleeps in two places: One of them is when a fork() fails. > The other is when the select() that's used to detect incoming connections > fails (i.e.: returns <= 0). What has Linux done to their inetd? :-) Nothing. :-p I picked up the guy's "fixes", and it's a completely new version of inetd. Since he seems to have decided it was a good idea to reindent and reformat everything, I can't tell what he's done. I think he misunderstood the significance of the EINTR in if ((n = select(maxsock + 1, &readable, (fd_set *)0, (fd_set *)0, (struct timeval *)0)) <= 0) { if (n < 0 && errno != EINTR) syslog(LOG_WARNING, "select: %m\n"); sleep(1); continue; } However, he seems to have changed that sleep to a sleep(60). So I don't know what he's smoking. > > One other change: it used to be that if bind() fields when setting > > up a socket, inetd would wait 10 minutes before trying again. I > > lowered this value to 10 seconds. > > If bind() fails it usually indicates the kind of savage resource shortage > that perfectly justifies backing off for ten minutes or so. To reduce > this back-off to ten seconds introduces the possibility that inetd > can actually contribute to Denial Of Service problems by compounding > existing resource shortages. That, and the most common cause of this failure is accidentally running two inetds at once, so there's no point in hurrying to retry. -- - David A. Holland | VINO project home page: dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino