Re: 11 years of inetd default insecurity?

[Mike Tancsa <mike@xxxxxxxxxx>]

At 06:08 PM 06/09/2003 +0400, 3APA3A wrote:

> The  problem  is,  remote attacker can establish as much connections per
> minute  as  bandwidth allows... Now, guess how inetd reacts if more than
> 256 connections received in one minute? It will disable service for next
> 10   minutes   to  help attack to succeed. Of cause, this is documented.
> Interval is not configurable.
>
> something like
>
> Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service 
> terminated
>
> will  appear  in  logs...  If  connection  is  closed by attacker before
> service actually starts, IP address of attacker will never be logged.
>
> IV. Workaround

Hi,
On FreeBSD's inetd there is the -C option in conjunction with the -R option

     -C rate
             Specify the default maximum number of times a service can be
             invoked from a single IP address in one minute; the default is
             unlimited.  May be overridden on a per-service basis with the
             "max-connections-per-ip-per-minute" parameter.

     -R rate
             Specify the maximum number of times a service can be invoked in
             one minute; the default is 256.  A rate of 0 allows an unlimited
             number of invocations.

You can run without either of these options, but then you risk a DoS from 
resource starvation.  e.g. invoke 1000 copies of ftpd and eat up all the 
RAM/Swap etc.  Its problematic either way, but at least you can mitigate 
the effects somewhat if its a single host attacking.

        ---Mike