(For those of you that do not know bugtraq. I suggest taking a look at it. It is a moderated full disclosure security mailing list. Archives can be found on www.securityfocus.com (run by the moderator of the list, aleph1 aka elias levy.) It does have more traffic than SuSE-Secuirty, and much of it has nothing to do with whatever it is you are doing. All the same, it is interesting reading.) This is the last message on this subject I am going to forward to SuSE-security from bugtraq. I do sort of imagine this will be the last substantive message on the subject. :) ----- Forwarded message from Peter Eriksson <peter@IFM.LIU.SE> ----- Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com X-Authentication-Warning: sharrow.ifm.liu.se: peter set sender to peter@sharrow.ifm.liu.se using -f Date: Tue, 17 Aug 1999 10:56:46 +0200 Reply-To: Peter Eriksson <peter@IFM.LIU.SE> From: Peter Eriksson <peter@IFM.LIU.SE> Subject: DOS against SuSE's identd X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Hendrik Scholz <hendrik@SCHOLZ.NET> writes:

The inetd.conf starts the identd with the options -w -t120 -e. This means that one identd process waits 120 seconds after answering the first request to answer later request. Lets say we start 100 requests in a short period. Due to the fact that it takes time to answer one request more identd's will be started each eating up about 900kb memory and waiting 120 seconds before terminating. I tested this behaviour on different machines with different hardware (RAM, Swap, NIC). Each machine becomes unusable after some seconds. This bug is in _every_ SuSE Version at least since 4.4. SuSE seems not to be interested in this bug becaus they did not answer any of my mails.

This bug is probably due to some incompatibility between SuSE's inetd daemons handling of 'stream tcp' & 'wait' servers and the way Pidentd expects it to be handled. The "normal" (as normal as it can be since 'stream tcp wait' normally is not a supported configuration) thing that should happen is that Inetd should start _one_ Pidentd, which then should handle all new requests in sub-processes, which should die immediately after the request has been handled. In the Suse case it seems (my guess) that Inetd keeps on starting new Pidentd's... Anyway, I nowadays _generally_ recommend people to stay away from the "-w" stuff in Pidentd due to the problems with the behaviours of various Inetd implementations... I recommend instead that people get the latest version of Pidentd (version 3.0.7 as of this writing) which uses multithreaded instead of forking subprocesses - this can reduce the load on systems significantly). Pidentd 3.0.7 (and later) can be downloaded from: ftp://ftp.lysator.liu.se/pub/ident/servers Here's the PGP Signature of that file: -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: D750KrTMC9lSc8xPJqIOoI5ldgh6QDYj iQCVAwUAN7c0a0GVHk0UMIghAQH7/wP8DV9NyDrPxMfa8lxSRMrGK8/kNSeKU+Z0 G+eX267t7WpjlP3puVchb7lp7zbtYlJhd6jyuxzwFJrGZs6GJGgT8B6vtFYqfYFm 9n5DAylzrTezWYUEkTQpy4UV+w1gVTa7+/qJcbkTm2rJaPaxp11duf0NH9zOhGZG gzfAOgkXMrU= =Mfo4 -----END PGP SIGNATURE----- /Peter (The Pidentd author) ----- End forwarded message ----- -- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/