Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: FTP denial of service attack

Re: FTP denial of service attack

Subject: Re: FTP denial of service attack
From: bert hubert (ahuCASEMA.NET)
Date: Tue Dec 07 1999 - 15:40:09 CST

On Tue, Dec 07, 1999 at 11:29:56PM +1100, Darren Reed wrote:

> Who has more free file descriptors & network ports, you or the ftp server ?

On a general note, and I am thankful that this is relatively unknown as yet,
almost any TCP/IP based service is vulnerable to simple DoS tricks. It is
very easy to create many ''TCP/IP Connections'' which do take resources at
the server end, but very little at the client end.

With the abundance of cracked boxes about, the malicious user may well be

All the malicious user needs to do is send lots of hand crafted SYNs and ACKs
without involving the local OS in any way. The remote server tries to handle
thousands of very real connections which all need to timeout before the
connection is closed and the resources are freed. A PalmPilot could disable
an entire server farm this way.

Current operating systems aren't very well equiped to handle this. Programs
are forced to accept() a connection and have no way to prevent the kernel
from ACKing the connection and allocating resources.

The free unixes these days mostly come with packet filtering available by
default, these might be best off. One could imagine a 'libfilter' which
would easily allow daemons with the right permissions/capabilities to
instruct the kernel to not accept connections anymore from a certain host.

Periodically, the daemon should clear old filters. It should also do this
when instructed and on startup. I think it has merit to investigate this
idea further and implement it portably. Most modern unixes support some form
of packet filtering, libfilter could be a means to provide them to daemons.

There are ways to protect servers against such an attack with dedicated
hardware but such measures are not widely implemented today and may also
'protect' indiscriminately against normal traffic in case of false
positives. A daemon can be more specific in its measures.


bert hubert.

    +---------------+  |              http://www.rent-a-nerd.nl
    | nerd for hire |  |
    +---------------+  |                     - U N I X -
            |          |          Inspice et cautus eris - D11T'95

This archive was generated by hypermail 2b27 : Wed Dec 08 1999 - 23:33:38 CST