Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Multiple Antivirus Scanners DoS attack.
From: Jason Haar (Jason.Haartrimble.co.nz)
Date: Sun Jun 20 2004 - 16:51:16 CDT
On Thu, Jun 17, 2004 at 08:50:49AM +0200, Jacek Osiecki wrote:
> I have also checked the latest F-Prot for Windows - it scans the file for
> quite a long time, but finally does not crash and detects the virus
Aren't we missing the point here? If I can construct a ~10K file that causes
an AV to hang for 20 mins+ - and I send 50 of them at your server - then
*even if they have no virus in them*, they will DoS you.
Isn't the solution that AVs need to have "resource limits" - where you as
the admin get to set:
* the max size that a file can be expanded to
* the max recursions you will do
* the max time you are willing to spend scanning a message (that would be
hard - becomes a bit of a loop when under load..)
* the max memory you are willing to let your AV grow to
and if any of those conditions are exceeded, then the AV must block-and-exit
(perhaps with a "DoS" descriptor). That way larger sites who are willing to
throw more hardware at this problem can have larger limits - basically you
can set those values to match your environment.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1