Re: News DoS using sendsys

From: Forrest J. Cavalier III (mibsoftat_private)
Date: Wed Aug 26 1998 - 11:27:01 PDT

Next message: Rude Yak: "Re: Webmail.bellsouth.net security problems"

Previous message: Paul Boehm: "[djbat_private: Unidentified subject!]"
Maybe in reply to: Walter Hafner: "News DoS using sendsys"
Next in thread: Nik Clayton: "Re: News DoS using sendsys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From:          Walter Hafner <hafnerat_private-MUENCHEN.DE>

> Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
> per day. The addresses of the people requesting the sendsys seem to be
> completely random. They all seem to be normal user-accounts. We see
> these sendsys requests for about a week now.

Part I: sendsys mailbombing
---------------------------
The "From" addresses are all probably forged addresses.  The sendsys
message was sent from elsewhere to mailbomb the "From" address.
Hundreds of sites around the internet will process the requests and
generate one piece of mail each to the apparent originator.

Disabling automatic sendsys processing is appropriate, as suggested.
However....

Part II: the Denial of Service
------------------------------
INN processes control messages, including sendsys, by spawning a
shell process, which in turn spawns numerous shell and other
processes which decide what action to take with the message.

A typical Usenet machine receives hundreds of messages per
minute.  Control messages are processed as they arrive, rather
than waiting for the previous one to finish processing, it
is possible to cause a machine load to skyrocket in short
order.

news.software.nntp has recently had a discussion on this topic.
There is a third-party patch to "serialize" control message processing,
which also more efficiently ignores messages, as it doesn't require
the same shell-script processing.)

Depending on the flavor of message filter you are using, you may
be able to block control messages from being accepted.

All stock versions of INN, from 1.4 (and perhaps earlier) to INN 2.1 are
vulnerable.  Current INN 2.x snapshots have an option to serialize
control message processing, I believe.

> Fortunately, this DoS is very easy to stop: Just make sure, that the
> Newsserver doesn't reply to a 'sendsys' automatically.

That removes the mailbombing characteristic, but only partially
helps with the system load.

Forrest J. Cavalier III, Mib Software, INN customization and consulting
'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: Free access!
   http://www.mibsoftware.com/innsup.htm

Next message: Rude Yak: "Re: Webmail.bellsouth.net security problems"
Previous message: Paul Boehm: "[djbat_private: Unidentified subject!]"
Maybe in reply to: Walter Hafner: "News DoS using sendsys"
Next in thread: Nik Clayton: "Re: News DoS using sendsys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:36 PDT