More info since that was just a fragment.... and didn't explain the issue. Summary: BB sends QUIT to port 1352, as the end of the test. Lotus barfs on it, due to it being more than 2 chars. Over time, this will go from a mere annoyance in the logs to a full server failure. Dunno if someone submitted this to Lotus yet... I'm just filling in the details since it hit bugtraq. I've cut and pasted (with little concern for headers or authors) the relevant thread. Dejanews archives the bb mailing as muc.lists.bb, do a search for the full thread (it's all in the last few days) Various authors---- ------- I had monitored Domino servers this way for a few days, when the Notes people said they were getting messages on the server complaining about short packet size connections or something of the sort, which apparently caused the server to stop responding after some time. I don't know how to monitor Notes availability other than this, though... I have heard there is something out there called 'notes ping' or something like that. Any pointers anyone? regs - malcolm ------- On Thu, 19 Aug 1999 opsahlrat_private wrote: > That Lotus Notes is listening and answering on its standard port1352. > > For Lotus cc:Mail routers you would do the same, but for port 3264 > > If you stop the process, or if the process fails to start after aboot > of the hosting server, you will probably get green on conn and redon > Notes/ccMail. As both test are done from the BBNET machine, theycan > be done even if you have no administrative rights on the hosting > server, or no wish to install a BB-client on that machine. > > We stopped monitoring Notes this way after one or two Notes servers > crashed and we were accused of causing it with this test method. I > think it is safe, Lotus suggest the method in a Knowledgebasearticle, > but of course never suggest to automate it. > > Hi There > > by changing this line > ssh* | telnet* | nntp* | ftp* | pop* | smtp* | imap* ) # OUR SERVICES > to this > lotusnotes* | ssh* | telnet* | nntp* | ftp* | pop* | smtp* | imap* ) # OUR > SERVICES > in bb-network.sh > > and add this line to /etc/services > lotusnotes 1352/tcp > > an external check of a Lotus Notes server i applyed. > ------- If this symptoms remains valid, you just conceived a valid DOS attack on server. Lotus should thank you and name a patch after you :-( Someone posted info that they *believed* the BB test to the Notes port caused their Lotus systems to crash...I can confirm it. Our 2 servers have run non stop for over a year(give or take). I added the BB test to query the smtp, notes, and conn and this message came today regarding the test. It started just hours after the software was implemented, and technically disabled the function of the server by today. Once stopped, the server returned to normal. This is just an FYI! Here is the error: 08/21/99 05:35:34 PM Network error on port TCPIP (session 24760001): (Network error: buffer was too small) 08/21/99 05:35:51 PM Searching Administration Requests database. 08/21/99 05:43:51 PM Network error on port TCPIP (session 24790002): (Network error: buffer was too small) The "problem" is that if you're sending characters to the Notes TCP port, it seems to give this failure message (network buffer too small blahblah) if the word you are sending is larger than 2 or 3 characters. bbnet, which does all the network tests, connects (in the Notes case) to TCP port 1352, and after that it sends a QUIT in order to try to disconnect the connection. Since QUIT is more than 2 chars, Notes produces this specific error (didn't know it did actually crash servers though). My solution was to edit the bbnet.c source file, and replace the sending of the QUIT command to disconnect by closing the TCP socket. Here's the code: (line 211 in bbnetsend in $BBHOME/src/bbnet.c) Replace this line: sprintf(line, "quit\r\n"); by this: close (sockfd); then recompile bbnet.c by doing a 'make bbnet' in the src dir. copy the new binary 'bbnet' to the $BBHOME/bin directory Be ware, bbnet is used by BB for _ALL_ network tests, so it has an effect on the other tests as well. In practice, there shouldn't be any problems. ------ Mark what version of lotus domino are you using ???? I have run BigBrother on our notes serveres since may, and we haven't experienced this ever... I do get the log-entry, but all servers keep running... I am using * 4.61 / Windows NT * 4,64 / Windows NT * 5.01 Sneak priview / Redhat Linux ------ Rather than hacking bbnet and changing its behaviour for all tests, the better way is to simply pass it an extra parameter as is done for the imap* test case. eg: # echo "SETTING UP PROTOCOL SPECIFIC DATA" # By default bbnet sends "quit" case $SVCNAME in imap* ) textmsg="* LOGOUT" ;; + notes* ) + textmsg="" + ;; *) textmsg="DONTUSEARGS" ;; esac Or I am sure there is a correct message that you can send within the lotus notes protocol/spec so it would be better still to find and use that. Of course, Lotus should also fix their bug so that this doesn't become a nice DoS attack.... (I wonder if it is also exploitable.... possibly...) On Sun, 22 Aug 1999, Andrej Todosic wrote: > aleph , this may be of iterest > > > > ---------- > > From: Sean MacGuire[SMTP:SEANat_private] > > Sent: Sunday, August 22, 1999 6:50:02 PM > > To: bbat_private > > Subject: Re: {bb} Notes Test Confirmed! (It kills the server) > > Auto forwarded by a Rule > > > > Someone posted info that they *believed* the BB test to the Notes port > caused > > their Lotus systems to crash...I can confirm it. > > So who wants to give lotus the good news :) > > > > 08/21/99 05:35:34 PM Network error on port TCPIP (session 24760001): > (Network > > error: buffer was too small) > > 08/21/99 05:35:51 PM Searching Administration Requests database. > > 08/21/99 05:43:51 PM Network error on port TCPIP (session 24790002): > (Network > > error: buffer was too small) > -- > Sean MacGuire, Reality Engineering the BB Ministry of Truth > seanat_private http://www.bb4.com > +1 514 630 6415 >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:32 PDT