On Tue, Dec 07, 1999 at 11:29:56PM +1100, Darren Reed wrote: > Who has more free file descriptors & network ports, you or the ftp server ? On a general note, and I am thankful that this is relatively unknown as yet, almost any TCP/IP based service is vulnerable to simple DoS tricks. It is very easy to create many ''TCP/IP Connections'' which do take resources at the server end, but very little at the client end. With the abundance of cracked boxes about, the malicious user may well be untraceable. All the malicious user needs to do is send lots of hand crafted SYNs and ACKs without involving the local OS in any way. The remote server tries to handle thousands of very real connections which all need to timeout before the connection is closed and the resources are freed. A PalmPilot could disable an entire server farm this way. Current operating systems aren't very well equiped to handle this. Programs are forced to accept() a connection and have no way to prevent the kernel from ACKing the connection and allocating resources. The free unixes these days mostly come with packet filtering available by default, these might be best off. One could imagine a 'libfilter' which would easily allow daemons with the right permissions/capabilities to instruct the kernel to not accept connections anymore from a certain host. Periodically, the daemon should clear old filters. It should also do this when instructed and on startup. I think it has merit to investigate this idea further and implement it portably. Most modern unixes support some form of packet filtering, libfilter could be a means to provide them to daemons. There are ways to protect servers against such an attack with dedicated hardware but such measures are not widely implemented today and may also 'protect' indiscriminately against normal traffic in case of false positives. A daemon can be more specific in its measures. Regards, bert hubert. -- +---------------+ | http://www.rent-a-nerd.nl | nerd for hire | | +---------------+ | - U N I X - | | Inspice et cautus eris - D11T'95
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:13 PDT