Apache is also quite vulnerable, at least to a http DOS... It's pretty easy to swamp it by opening HARD_SERVER_LIMIT connections. It's also usually unnecessary to use a root-spawned daemon for the attack, as long as you can find more than one listening daemon. The per-user limit is often something like 1/2 the size of the process table. I know that under Linux it is by default (MAX_TASKS_PER_USER = NR_TASKS/2). In experimentation, I found that there was no need to use multiple machines or anything like that to perform the attack using Linux or FreeBSD. Sample code is at http://www.riverstyx.net/stuff/pbomb.pl. All that needed to be done on FreeBSD was increase MAX_OPEN. On Linux, NR_OPEN and MAX_OPEN needed to be increased. You might also have to fiddle with /proc/sys/kernel/file-max and ulimit. On a related note, on a Linux machine with Apache's HARD_SERVER_LIMIT higher than Linux' MAX_TASKS_PER_USER it'll do some pretty interesting stuff. You'll end up with a couple hundred instances of Apache that are unkillable by any method, all sitting on port 80 and not responding to anything beyond the inital connection. The only solution that I know if is to reboot at that point... On Sat, 20 Feb 1999, Mark Boolootian wrote: > Date: Fri, 19 Feb 1999 16:08:06 -0500 > >From: "Simson L. Garfinkel" <simsongat_private> > Subject: Process-table attack > > Wide-ranging attack works against almost any UNIX systems on the Internet > > ABSTRACT: > > The Process Table Attack is a [relatively] new kind of denial-of-service > attack that can be waged against numerous network services on a variety of > different UNIX systems. The attack is launched against network services > which fork() or otherwise allocate a new process for each incoming TCP/IP > connection. Although the standard UNIX operating system places limits on > the number of processes that any one user may launch, there are no limits on > the number of processes that the superuser can create other than the hard > limits imposed by the operating system. Since incoming TCP/IP connections > are usually handled by servers that run as root, it is possible to > completely fill a target machine's process table with multiple > instantiations of network servers. Properly executed, this attack prevents > any other command from being executed on the target machine. <snippage>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:23 PDT