Possibility of Denial of Service in dictd?

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Possibility of Denial of Service in dictd?
From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>
Date: Mon, 19 Jan 2015 15:36:27 +1100
Message-id: <[🔎] 54BC89CB.4020700@bitmessage.ch>

Hi,

I noticed that using the dict regular expression search feature, it is
possible to get extremely large amounts of data from a server with dictd
running, for example `dictd -s regexp [a-z]` would return the entire
dictionary (assuming that all headwords contained a lower case letter).

My concern is that for larger dictionaries, an attacker could repeatedly
make requests for significant portions of the dictionary, thus leading
to denial of service. This could potentially be mitigated by imposing a
limit on the amount of data that can be sent per request.

Yours sincerely,

Riley Baird

Reply to:

Follow-Ups:
- Re: Possibility of Denial of Service in dictd?
  - From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>

Prev by Date: Re: Bug#774211: freeze exception for binutils 2.25-3
Next by Date: Re: Possibility of Denial of Service in dictd?
Previous by thread: Re: Bug#774211: freeze exception for binutils 2.25-3
Next by thread: Re: Possibility of Denial of Service in dictd?
Index(es):
- Date
- Thread