I think we (a local ISP in Augsburg/Germany ...) are hit by an DoS that wasn't described here before: Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests per day. The addresses of the people requesting the sendsys seem to be completely random. They all seem to be normal user-accounts. We see these sendsys requests for about a week now. Since our INN is configured to report all 'unusual' control messages to the news-administrators, rather than to execute it, the DoS doesn't hurt us very much. My Mailfolder now usually looks like: N 2 Aug 26 News Subsystem (74) sendsys by ktakamuraat_private N 3 Aug 26 News Subsystem (53) sendsys by ritchieat_private N 4 Aug 26 News Subsystem (64) sendsys by ritchieat_private N 5 Aug 26 News Subsystem (64) sendsys by flaaggat_private N 6 Aug 26 News Subsystem (66) sendsys by ktakamuraat_private The body of the mails look like: jf enbg kg wwt ncoy psb bdoo ldb jg aqk gsic jnsy td mvdo gvui mt uhlq pab nicw vvk knb kqqu ippi htji bsp vpq hdm [...] I didn't bother to check the validity of the addresses (note the double addresses). I can imagine two impacts on small ISP's: - the lines of the ISP can get overloaded (if you're a small ISP like we are, and have only very limited bandwidth, this can be an issue) - If you have only limited resources and use one machine to do Mail and News, this machine will slow down considerably. Furthermore, your spooling partition could overflow (if it is handling News _and_ Mail) and throttle the INN. Fortunately, this DoS is very easy to stop: Just make sure, that the Newsserver doesn't reply to a 'sendsys' automatically. -Walter -- Walter Hafner_______________________________ hafnerat_private <A href=http://www.in.tum.de/~hafner/>*CLICK*</A> The best observation I can make is that the BSD Daemon logo is _much_ cooler than that Penguin :-) (Donald Whiteside)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:33 PDT