mailing list archives
Re: FTP denial of service attack
From: ahu () CASEMA NET (bert hubert)
Date: Tue, 7 Dec 1999 22:40:09 +0100
On Tue, Dec 07, 1999 at 11:29:56PM +1100, Darren Reed wrote:
Who has more free file descriptors & network ports, you or the ftp server ?
On a general note, and I am thankful that this is relatively unknown as yet,
almost any TCP/IP based service is vulnerable to simple DoS tricks. It is
very easy to create many ''TCP/IP Connections'' which do take resources at
the server end, but very little at the client end.
With the abundance of cracked boxes about, the malicious user may well be
All the malicious user needs to do is send lots of hand crafted SYNs and ACKs
without involving the local OS in any way. The remote server tries to handle
thousands of very real connections which all need to timeout before the
connection is closed and the resources are freed. A PalmPilot could disable
an entire server farm this way.
Current operating systems aren't very well equiped to handle this. Programs
are forced to accept() a connection and have no way to prevent the kernel
from ACKing the connection and allocating resources.
The free unixes these days mostly come with packet filtering available by
default, these might be best off. One could imagine a 'libfilter' which
would easily allow daemons with the right permissions/capabilities to
instruct the kernel to not accept connections anymore from a certain host.
Periodically, the daemon should clear old filters. It should also do this
when instructed and on startup. I think it has merit to investigate this
idea further and implement it portably. Most modern unixes support some form
of packet filtering, libfilter could be a means to provide them to daemons.
There are ways to protect servers against such an attack with dedicated
hardware but such measures are not widely implemented today and may also
'protect' indiscriminately against normal traffic in case of false
positives. A daemon can be more specific in its measures.
+---------------+ | http://www.rent-a-nerd.nl
| nerd for hire | |
+---------------+ | - U N I X -
| | Inspice et cautus eris - D11T'95
Re: FTP denial of service attack Theo de Raadt (Dec 08)
Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
RSAREF2 buffer overflow patch Gerardo Richarte (Dec 11)
Re: new IE5 remote exploit Shane Hird (Dec 07)