This was forwarded to me by a friend.. i dont know if it was ever addressed on this list.. but here yall go. ----- From: Hendrik Scholz <hendrik@SCHOLZ.NET> Subject: DOS against SuSE's identd X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Hi! The inetd.conf starts the identd with the options -w -t120 -e. This means that one identd process waits 120 seconds after answering the first request to answer later request. Lets say we start 100 requests in a short period. Due to the fact that it takes time to answer one request more identd's will be started each eating up about 900kb memory and waiting 120 seconds before terminating. I tested this behaviour on different machines with different hardware (RAM, Swap, NIC). Each machine becomes unusable after some seconds. This bug is in _every_ SuSE Version at least since 4.4. SuSE seems not to be interested in this bug becaus they did not answer any of my mails. CU, Hendrik ----- End forwarded message -----
* Chrissy LeMaire <chrissy@netnerds.net> writes:
This was forwarded to me by a friend.. i dont know if it was ever addressed on this list.. but here yall go.
It's on "todays" BUGTRAQ Digest - 13 Aug 1999 to 16 Aug 1999 (#1999-36)
The inetd.conf starts the identd with the options -w -t120 -e.
That's also true for SuSE 6.0. What's the solution? Change the -t to ten seconds? Or less? Since I don't need this service I commented it out in "/etc/inetd.conf" some time ago. This is recommended for all services one doesn't need.
SuSE seems not to be interested in this bug becaus they did not answer any of my mails.
Now THIS is a HUGE security problem. SuSE what's going on? -- Mark Lutz Accept German and English
On Tue, Aug 17, 1999 at 01:33:23PM +0200, Mark Lutz wrote:
Note to those who were quick to followup to mark -- please re-read this. The way I interpret it, the security proiblem isn't identd (big deal, most of us have commented it out..) -- but that SuSE didn't answer the bugtraq poster's emails. *That* is a bit of a security risk, if SuSE isn't going to address the concerns raised by its users. I do wonder though how hard he tried to get the nice people at SuSE to look at the error -- I for one never saw his posting to suse-security, only bugtraq. So, maybe he did try to contact suse, maybe he didn't. In any case, take another look at what Mark said, and decide for yourself if he was a bit concerned at suse's packaging of identd, or if he is concerned about how SuSE handles security issues. -- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/
Since last Thursday I've been seeing UDP attacks. Basically just a lot of UDP. It can crash windows real good but under Linux it just tends to slow things down some. The question is what can I do to minimize things even more? When they start I get about 1meg worth of output from tcpdump in a 10 minute time frame. Nick -- --------------------- Nick Zentena SuSE 6.1 Linux 2.2.11 Proudly rejecting all Yahoo mail since 1999 ---------------------
If you have a) ipchains and b) ip firewalling turned on in the kernel you can block the spammers. I *think* something like this is needed: ipchains -A input -p udp -S192.168.0.1/32 -D0.0.0.0/0 deny of course, changing the 192.168.0.1 to the real IP address. Another possibly useful thing is to send some of those tcpdump logs top their upstream provider, and your upstream provider. Maybe your provider would be willing to block all such traffic for you -- and maybe their provider would be happy to block all such traffic too. <shrug> :) ps -- thanks to Johannes Erdfelt I no longer have to see silly bounce messages from the guy at agulla.upc.es! Thank you so much Johannes! :) On Tue, Aug 17, 1999 at 03:48:32PM -0400, Nick Zentena wrote:
-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/
I could not possibly agree more with this statement. I tried to speak with a few of the SuSE guys that attended the LinuxWorld Expo about SuSE's lack of concern about security. I was not impressed by the answer I received. It was basically, "Post a feedback complaint and I'm sure something will probably get done". To put it bluntly, NO, my concerns were not taken seriously either. For the record this is not the first time SuSE has been criticized for it's lack of support when security issues where discovered. You can search the Bugtraq list. You'll find more than one posting.
Considering the lack of response from SuSE on this list I don't blame him if he didn't bother to post here. IMHO, this list should be watched *very* closely by a security expert at or employed by SuSE not only to intercept information on new security issues but to answer questions and provide real support for SuSE customers. RedHat posts security announcements to all its lists and responds to customer inquiries on security issues and postings to bugtraq almost immediately. They don't often do a great job of getting patches out quickly but at least they take the time to acknowledge to their customer base that they are aware of the issue and something is being done about it. I'm sure that the members of this list that recently had their servers hacked into because the IMAP exploit was very poorly publicized on this list would most likely agree with me. Finally, for those that posted saying that this issue is not a big deal I strongly suggest you rethink your position. I am a paying customer. Should I not expect a quality product or service for my money? Linux distributions should be no different than any other product I buy. If it's broken I expect the company to act in a responsible manner to fix it. If not, I'll probably take my business (and money!) elsewhere. SuSE? Hello? Are you listening? Mario Paz
Mark Lutz wrote:
IPLimit may fix that kind of DOS. Get it from http://www.jedi.claranet.fr . -- Standard C Programming language is now ISO C9X ! Frank DENIS aka Jedi/Sector One <j@c9x.org>
hello! this is not a bug but a feature. there are several inetd alternativs (www.freshmeat.net :). as far as i can remember it is named xinetd but dont nail me on this. cya stefan
participants (7)
-
Chrissy LeMaire -
Jedi/Sector One -
Mark Lutz -
Mr. M -
Nick Zentena -
Seth R Arnold -
Stefan V�lkel