From owner-freebsd-hackers  Fri Jul 23  6: 6: 9 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
	by hub.freebsd.org (Postfix) with ESMTP id 11E0F15709
	for <hackers@FreeBSD.org>; Fri, 23 Jul 1999 06:06:05 -0700 (PDT)
	(envelope-from andre.albsmeier@mchp.siemens.de)
X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de)
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by david.siemens.de (8.9.3/8.9.3) with ESMTP id PAA01947
	for <hackers@FreeBSD.org>; Fri, 23 Jul 1999 15:06:04 +0200 (MET DST)
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7])
	by mail1.siemens.de (8.9.3/8.9.3) with ESMTP id PAA02713
	for <hackers@FreeBSD.org>; Fri, 23 Jul 1999 15:06:03 +0200 (MET DST)
Received: (from daemon@localhost)
	by curry.mchp.siemens.de (8.9.3/8.9.3) id PAA50738
	for <hackers@FreeBSD.org>; Fri, 23 Jul 1999 15:06:04 +0200 (CEST)
Date: Fri, 23 Jul 1999 15:06:02 +0200
From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>,
	Brian Feldman <green@FreeBSD.org>, hackers@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c inetd.h
Message-ID: <19990723150602.B10047@internal>
References: <19990723112812.A3847@internal> <41604.932732959@axl.noc.iafrica.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.5i
In-Reply-To: <41604.932732959@axl.noc.iafrica.com>; from Sheldon Hearn on Fri, Jul 23, 1999 at 02:29:19PM +0200
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 23-Jul-1999 at 14:29:19 +0200, Sheldon Hearn wrote:
> 
> [Hijacked from cvs-committers and cvs-all]
> 
> On Fri, 23 Jul 1999 11:28:12 +0200, Andre Albsmeier wrote:
> 
> > I observed some kind of denial of service on -STABLE: I was
> > playing with the new nmap and did a 'nmap -sU printfix'.
> > inetd was running as "inetd -l" and started sucking all the
> > CPU time even the nmap had been terminated long ago.
> 
> What does "sucking all the CPU time" mean? Does it mean that other
> programs were suffering, or does it mean that it was the only
> significant user of CPU and so showed up at close to 100% CPU usage?
>
> I suspect that the latter is true.

It's only nearly 50% because syslogd gets most of the other half :-)

But when inetd is run without -l it get 100%.


> > /var/log/messages file showed zillions of the following lines
> > being added continously:
> 
> Well, you did ask for them (inetd -l). :-)
>
> > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: time from [...]
> > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: daytime from [...]
> 
> Usually syslog will give you "last message repeated X times".
> Unfortunately, the alternation of the messages makes this impossible.
> 
> David Malone had a few ideas on "clever" handling of UDP. While what
> he suggests might help reduce the number of messages you receive under
> legitimate use, it won't help against DoS, since the sender of packets
> can simply randomize the origin addresses.
> 
> > Maybe you got an idea...
> 
> I know exactly why you see what you see when you do what you do. All I
> can say is "don't do that", because I can't think of a why to cater for
> what you're doing in a sensible fashion.


I think, I didn't describe the problem clearly so I will try again :-)

1. I run 'nmap -sU printfix' on the 192.168.17.100 machine.
2. After nmap has finished it shows me the open ports.
3. We wait , e.g. 1 minute
4. inetd, which runs with -l, continues logging to syslogd and 
   never stops. Here is a top snapshot taken one minute later:

last pid:  4040;  load averages:  0.96,  0.56,  0.29   up 0+06:19:27  14:56:00
36 processes:  2 running, 34 sleeping
CPU states: 54.3% user,  0.0% nice, 41.9% system,  3.9% interrupt,  0.0% idle
Mem: 8500K Active, 37M Inact, 12M Wired, 3428K Cache, 7592K Buf, 532K Free
Swap: 49M Total, 49M Free
 
  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 3748 root      58   0   956K   704K RUN      0:20 44.97% 44.97% inetd
  122 root       2   0   848K   576K select   3:10 36.47% 36.47% syslogd
  127 root       2   0  1588K  1228K select   0:05  0.00%  0.00% named
  200 root       2   0   876K   524K select   0:02  0.00%  0.00% lpd
  132 root       2 -52  1236K   732K select   0:02  0.00%  0.00% xntpd


In case we start inetd without -l, it doesn't log to syslogd anymore
and therefore consumes all the CPU for itself:

last pid:  4397;  load averages:  1.59,  1.10,  0.55    up 0+06:22:14  14:58:47
111 processes: 2 running, 109 sleeping
CPU states: 61.2% user,  0.0% nice, 38.0% system,  0.8% interrupt,  0.0% idle
Mem: 10M Active, 30M Inact, 14M Wired, 3776K Cache, 7592K Buf, 3688K Free
Swap: 49M Total, 49M Free

  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 4043 root     104   0   956K   740K RUN      1:33 97.66% 97.61% inetd
  122 root       2   0   848K   576K select   3:16  0.00%  0.00% syslogd
  127 root       2   0  1588K  1228K select   0:05  0.00%  0.00% named


Remember that nmap has finished already a long time ago. I think, inetd
is stuck in some loop which can be terminated only by killing and
restarting it.

	-Andre


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message