On Mon, 16 Aug 1999, Danton Nunes wrote: > Hendrik says: > > The inetd.conf starts the identd with the options -w -t120 > > -e. > > This means that one identd process waits 120 seconds after > > answering the first request to answer later request. > > No. accordint to inetd's man page: > > The -t<seconds> option is used to specify the timeout > limit. This is the number of seconds a server started with > the -w flag will wait for new connections before terminat- > ing. The server is automatically restarted by inetd when- > ever a new connection is requested if it has terminated. A > suitable value for this is 120 (2 minutes), if used. It > defaults to no timeout (i.e. will wait forever, or until a > fatal condition occurs in the server). > > this does not mean that the server does nothing until <seconds> > elapse. it listen to requests and serves them. if there is > no request during the <seconds> period it dies. Many inetd-spawned > servers do like this (e.g. xtacacsd). if something is going wrong > it is not related to the -t120 flag. Maybe inetd does not know > there is an identd on duty and spawns another copy. > No, no. It is actually not inetd who spawns new processes, it is really the in.identd. In fact, inetd has a fork-resource-limit built in, so that it will refuse to spawn new servers if more than 40 (by default) requests come in for the same service. The in.identd found on the SuSE distribution is version 2.7.4 of Peter Eriksson's pidentd, and that would fork one process for every new client request as long as it can breath. > > Lets say we start 100 requests in a short period. > > Due to the fact that it takes time to answer one request > > more identd's will be started each eating up about 900kb > > memory and waiting 120 seconds before terminating. > > I tested this behaviour on different machines with different > > hardware (RAM, Swap, NIC). > > Each machine becomes unusable after some seconds. > > This bug is in _every_ SuSE Version at least since 4.4. > > this bug (if the bug is the way inetd is invoked) is in almost > every /etc/inetd.conf in the Unix galaxy, not specific to SuSE Linux. > No, again. Sorry. It can safely be regarded as a bug. The "bug" is to not perform resource control. In that respect you are right, there are other buggy servers out there on the net. Anyway, inetd itself is clean. The obvious fix is to change the /etc/inetd.conf setting to "-i -e" which we will consider. This uses more resources (as every server started goes through the database reading functions), but is DoS attack safe. There are two viable long term solutions. Either switch to version 3.x.x of pidentd, but for various reasons we have not yet full confidence into this major rewrite, mainly for warnings the author himself has expressed. Please don't get that wrong, this *IS* excellent software. And in terms of resource control this version is clean. What we will be providing on a short term basis is a patched 2.7.4 with the resource control built in. With that fix in place it will be clean also and can be invoked with "-i", "-w" or "-b" at will. > -- > Danton Nunes | Consultoria e Serviços de Acesso à Internet > InterNexo Ltda. | http://www.inexo.com.br/ mailto:dantonat_private > S.J.Campos,BRASIL | PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5 > We will shortly compile the fix and provide an advisory. Both will be posted here when available. Volker Wiegand -- Volker Wiegand Phone: +49 (0) 6196 / 50951-24 SuSE Rhein/Main AG i.G. Fax: +49 (0) 6196 / 40 96 07 Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76 D-65760 Eschborn E-Mail: Volker.Wiegandat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:17 PDT