Date: Mon, 7 Jan 2002 23:40:55 +0100 (CET) From: Matthias Andree <matthias.andree@web.de> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/33670: default inetd install allows for unlimited resource use Message-ID: <20020107224055.2124F2D328@freebsd.emma.line.org>
next in thread | raw e-mail | index | archive | help
>Number: 33670 >Category: bin >Synopsis: default inetd install allows for unlimited resource use >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 07 17:30:00 PST 2002 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 4.5-PRERELEASE i386 >Organization: >Environment: System: FreeBSD freebsd.emma.line.org 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #0: Thu Jan 3 16:41:15 CET 2002 root@freebsd.emma.line.org:/usr/src/sys/compile/M2A2 i386 >Description: By default, FreeBSD runs inetd. While the FreeBSD implementation of inetd has an outstanding feature set, regretfully, this is not used to protect a system to the full extent. Daniel J. Bernstein, like him or not, describes an attack on inetd, http://cr.yp.to/docs/inetd.c, which can be refined and used against FreeBSD. However, unlike many other inetd implementations, FreeBSD's HAS the ability to limit the total number of connections per service, by means of the -c option, but this is not currently used. >How-To-Repeat: Connect, but do not release, connections just below the maximum connect/minute rate. >Fix: I'm not sure if it's sufficient, but it looks as though changing inetd_flags in /etc/defaults/rc.conf to "-wWc20" might help, no more than 20 servers per service could be running at the same time. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020107224055.2124F2D328>