Re: Process table attack (from RISKS Digest)

From: unknownat_private
Date: Mon Feb 22 1999 - 15:49:45 PST

Next message: Andrew Hobgood: "Re: Process table attack (from RISKS Digest)"

Previous message: routeat_private: "Re: Preventing remote OS detection"
Maybe in reply to: Mark Boolootian: "Process table attack (from RISKS Digest)"
Next in thread: Andrew Hobgood: "Re: Process table attack (from RISKS Digest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Apache is also quite vulnerable, at least to a http DOS... It's pretty
easy to swamp it by opening HARD_SERVER_LIMIT connections.

It's also usually unnecessary to use a root-spawned daemon for the attack,
as long as you can find more than one listening daemon.  The per-user
limit is often something like 1/2 the size of the process table.  I know
that under Linux it is by default (MAX_TASKS_PER_USER = NR_TASKS/2).

In experimentation, I found that there was no need to use multiple
machines or anything like that to perform the attack using Linux or
FreeBSD.  Sample code is at http://www.riverstyx.net/stuff/pbomb.pl.  All
that needed to be done on FreeBSD was increase MAX_OPEN.  On Linux,
NR_OPEN and MAX_OPEN needed to be increased.  You might also have to
fiddle with /proc/sys/kernel/file-max and ulimit.

On a related note, on a Linux machine with Apache's HARD_SERVER_LIMIT
higher than Linux' MAX_TASKS_PER_USER it'll do some pretty interesting
stuff.  You'll end up with a couple hundred instances of Apache that are
unkillable by any method, all sitting on port 80 and not responding to
anything beyond the inital connection.  The only solution that I know if
is to reboot at that point...

On Sat, 20 Feb 1999, Mark Boolootian wrote:

> Date: Fri, 19 Feb 1999 16:08:06 -0500
> >From: "Simson L. Garfinkel" <simsongat_private>
> Subject: Process-table attack
>
> Wide-ranging attack works against almost any UNIX systems on the Internet
>
> ABSTRACT:
>
> The Process Table Attack is a [relatively] new kind of denial-of-service
> attack that can be waged against numerous network services on a variety of
> different UNIX systems. The attack is launched against network services
> which fork() or otherwise allocate a new process for each incoming TCP/IP
> connection.  Although the standard UNIX operating system places limits on
> the number of processes that any one user may launch, there are no limits on
> the number of processes that the superuser can create other than the hard
> limits imposed by the operating system. Since incoming TCP/IP connections
> are usually handled by servers that run as root, it is possible to
> completely fill a target machine's process table with multiple
> instantiations of network servers. Properly executed, this attack prevents
> any other command from being executed on the target machine.

<snippage>

Next message: Andrew Hobgood: "Re: Process table attack (from RISKS Digest)"
Previous message: routeat_private: "Re: Preventing remote OS detection"
Maybe in reply to: Mark Boolootian: "Process table attack (from RISKS Digest)"
Next in thread: Andrew Hobgood: "Re: Process table attack (from RISKS Digest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:23 PDT