Portsentry DoS

[Carric Dooley <carric () com2usa com>]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
I was wondering if anyone else has had problems with Portsentry. I have a
box that WAS running portsentry, and starting alerting saying "Possible
attack agains tcp port 143... Message repeated 44596375 times... Message
repeated 67894321 times..." This would happen withing a few seconds of
restarting Portsentry, and then the box would box would become completely
unresponsive.  I shutdown portsentry for the time being and haven't had a
problem since. The box is running redhat 7.1 (kernel 2.4.1-0.1.9) and
portsentry version 1.0-11.

I tried completely removing and re-installing portsentry, as it had run
fine on this box a couple of weeks before it started flaking out.  I also
tried a tcpdump to look for any traffic on 143 and I saw nothing.

Anybody else out there see that?

Thank you.


Carric Dooley
Senior Consultant
COM2:Interactive Media

"But this one goes to eleven."
-- Nigel Tufnel