Hallo There are two "RTFM" answers in Bugtraq today. I crosspost these. Please have a detailled look on both. The second message has an interesting conclusion. Jörg Freudenberger -----Original Message----- From: Danton Nunes [mailto:danton@INEXO.COM.BR] Sent: Tuesday, August 17, 1999 3:20 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: DOS against SuSE's identd Hendrik says:

The inetd.conf starts the identd with the options -w -t120 -e. This means that one identd process waits 120 seconds after answering the first request to answer later request.

No. accordint to inetd's man page: The -t<seconds> option is used to specify the timeout limit. This is the number of seconds a server started with the -w flag will wait for new connections before terminat- ing. The server is automatically restarted by inetd when- ever a new connection is requested if it has terminated. A suitable value for this is 120 (2 minutes), if used. It defaults to no timeout (i.e. will wait forever, or until a fatal condition occurs in the server). this does not mean that the server does nothing until <seconds> elapse. it listen to requests and serves them. if there is no request during the <seconds> period it dies. Many inetd-spawned servers do like this (e.g. xtacacsd). if something is going wrong it is not related to the -t120 flag. Maybe inetd does not know there is an identd on duty and spawns another copy.

Lets say we start 100 requests in a short period. Due to the fact that it takes time to answer one request more identd's will be started each eating up about 900kb memory and waiting 120 seconds before terminating. I tested this behaviour on different machines with different hardware (RAM, Swap, NIC). Each machine becomes unusable after some seconds. This bug is in _every_ SuSE Version at least since 4.4.

this bug (if the bug is the way inetd is invoked) is in almost every /etc/inetd.conf in the Unix galaxy, not specific to SuSE Linux. -- Danton Nunes | Consultoria e Serviços de Acesso à Internet InterNexo Ltda. | http://www.inexo.com.br/ mailto:danton@inexo.com.br S.J.Campos,BRASIL | PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5 -----Original Message----- From: Alan Brown [mailto:alan@MANAWATU.GEN.NZ] Sent: Dienstag, 17. August 1999 04:24 To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: DOS against SuSE's identd On Sat, 14 Aug 1999, Hendrik Scholz wrote:

The inetd.conf starts the identd with the options -w -t120 -e. This means that one identd process waits 120 seconds after answering the first request to answer later request.

No, it means that the identd is persistent and will shut down after 120 seconds of idle time. What ends up happening is that a master identd process spawns a child for each request and you're running into a basic FD-based DoS attack. AB