> Subject: Process-table attack > > The Process Table Attack is a [relatively] new kind of denial-of-service > attack that can be waged against numerous network services on a variety of > different UNIX systems. The attack is launched against network services This flaw isn't only limited to programs run from inetd (or other on-demand forking servers). Over a year ago, I reported a DoS attack present in the "comsat" daemon (used to notify users of incoming mail). That report can be found at: http://geek-girl.com/bugtraq/1997_3/0398.html Now, a simple way to avoid these kinds of denial of service attacks is to watch for multiple connections to a port (especially ones with no data) from a single source (at an IDS or firewall level). You can then react with logging the attempts, firewalling the connections, or even spoofing connection resets to the local machine to clear out the connection table. The major problem with that approach, however, is that some programs, (the in.comsatd vulnerability, in particular) *look* like they're performing normal activity when a denial of service attack is in progress. Now, I'm sure that other programs exist that exhibit the same behavior, and these provide an even more worrisome issue than the normal forking-server family of daemons. I hope this gets the gears rolling in some of the brighter minds out there... /Andrew Hobgood [http://web.strange.net | Kha0S on EFnet IRC (#LinuxOS)]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:24 PDT