Re: News DoS using sendsys

From: Don Lewis (Don.Lewisat_private)
Date: Thu Aug 27 1998 - 16:05:51 PDT

Next message: Mark (Mookie): "Re: Security Hole in Axent ESM"

Previous message: Cisco Product Security Incident Response Team: "Cisco response re PIX fragmentation issue"
Maybe in reply to: Walter Hafner: "News DoS using sendsys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Aug 27,  9:32am, David Shaw wrote:
} Subject: Re: News DoS using sendsys
} On Wed, Aug 26, 1998 at 03:52:58PM -0700, Russ Allbery wrote:
} > There are several possible solutions at different levels of complexity.
} >
} > First, please make sure that your control.ctl file or the equivalent has a
} > line like:
} >
} >         sendsys:*:*:drop
}
} While you're at it, it might be worth adding:
}
}         senduuname:*:*:drop
}         version:*:*:drop
}
} I suspect that once everyone configures their server to stop responding to
} sendsys, the bombers will switch to senduuname and version.  I have
} already seen a hundred "version" requests come in.  Neither version nor
} senduuname are relevant to the overwhelming majority of INN installations
} out there.

Yup, they've already switched.  There's still a lot of overhead even if
you configure "drop".  Here's something that I found in news.admin.technical
that is relevant for INN users:

> From: raoulat_private (Nico Garcia)
> Subject: Re: System bogs during sendsys bomb attacks
> Approved: scottat_private-Bay.ORG
> Sender: scottat_private-Bay.ORG (Scott Hazen Mueller)
> Organization: The Internet Access Company
> Message-ID: <6r8cum$dtf@news-central.tiac.net>
> References: <6r6ir7$c6g$1at_private>
> Date: Mon, 17 Aug 1998 05:38:28 GMT
> Lines: 19
>
> In article <6r6ir7$c6g$1at_private>,
> Paul Tomblin <ptomblinat_private> wrote:
> >I'm running stock INN 1.7.2, and every time I get a batch of HIPCRIME sendsys
> >bombs, my load average breifly goes up through the roof.  This is in spite of
> >the fact that I have it set to drop sendsys in control.ctl.  I seem to have a
> >copy of /var/lib/newsbin/control/sendsys running for each message.  Is there a
> >tweak I can do somewhere to reduce the priority on these things.  I thought
> >they were run out of ctlrun, but that doesn't appear to be the case.
>
> "echo exit >/var/lib/newsbin/control/sendsys"
>
> That won't prevent the processes but it will shorten the hell out
> of their execution time.
>
> --
>                                 Nico Kadel-Garcia, ne' Garcia
>                                 raoulat_private

Next message: Mark (Mookie): "Re: Security Hole in Axent ESM"
Previous message: Cisco Product Security Incident Response Team: "Cisco response re PIX fragmentation issue"
Maybe in reply to: Walter Hafner: "News DoS using sendsys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:55 PDT