Date: Thu, 16 Aug 2001 15:54:31 +0200 (CEST) From: Laurent Wacrenier <lwa@teaser.fr> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/29774: accept filters leave established connections without timeout Message-ID: <20010816135431.0DDF732607@victor.teaser.fr>
next in thread | raw e-mail | index | archive | help
>Number: 29774
>Category: kern
>Synopsis: accept filters leave established connections without timeout
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 16 07:00:11 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Laurent Wacrenier
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
France Teaser
>Environment:
System: FreeBSD victor.teaser.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Tue Aug 7 14:51:14 CEST 2001 lwa@victor.teaser.fr:/usr/src/sys/i386/compile/VICTOR i386
apache-1.3.20 compiled from ports
>Description:
When apache is used with httpready accept filter, the kernel notice
apache than a connection is avaiable if data match what httpready is
programmed for. On certain case, httpready keep the data without time
limit, leaving one connection established and wasting some mbuf.
After one day running, on a server never referenced and without any
documents :
% netstat -an -f inet | 'Proto|\.80'
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 3818 0 213.91.2.241.80 213.30.133.122.4647 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.93.113.136.2698 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.57.142.158.11000 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.8.86.29.2566 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.250.62.21.3955 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 62.10.54.49.2164 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.176.53.5.1383 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.242.144.68.1153 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.96.30.158.2110 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.46.202.155.4871 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.221.18.242.3455 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.66.113.35.3087 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.74.116.246.35836 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.194.95.185.1390 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.64.213.5.16989 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.131.135.241.1368 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.147.49.210.2503 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.132.46.58.3615 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.32.45.66.3813 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.217.37.10.1494 ESTABLISHED
tcp4 3818 0 213.91.2.241.80 213.132.49.86.63509 ESTABLISHED
tcp4 0 0 *.80 *.* LISTEN
I suspect all this established connection are hits from Code Red worm.
Code Red is a worm running on Microsoft Windows systems that scan the
internet IP addresses to seek other Microsoft Windows systems on wich
it can install itself (with a preference for IP address on the same
Class A)
It may be a serious security issue because a malicious user will be
able to send the same sequence of TCP frames and buzy all avaiable
TCP connections slots in few minuts.
>How-To-Repeat:
- install apache 1.3.20
- kldload accf_http
- start apache
- wait some hours until few Code Red worms instance hit you
>Fix:
Accept filters are not enable on the kernel by default, but if they
are, the apache port will use it without software configuration.
Until accept filters are able to manage connection timeout :
fix your kernel or your loader configuration to unload
accept filters, so apache will be unable to use it. Then reboot.
It will be a good thing to remove recommandation about the use of
accept filter on the apache optimisation document about BSD.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816135431.0DDF732607>