Re: Pb with inetd and ftp/tcp
Jean-Michel Rouet wrote:
> I'm using a debian systems for 3 years or so with no problem at all. But
> recently I discovered a rather stranger behavior with inetd and
> particularly with ftp
>
> Imagine that an evil person want to crash your machine sending a lot of
> non-authorized ftp requests like this (shell is zsh)
>
> $ while `true`
> $ do
> $ lftp -u foo,bar -e ls target-host &
> $ done
>
> after a few loops, the inetd daemon detects a problem and stops the ftp
> server.
> --> I found this message in the /var/log/daemon.log of the target-host
> (in fact localhost :-))
>
> Jun 19 14:34:52 joebar inetd[22750]: ftp/tcp server failing (looping),
> service terminated
>
> So as I understand it, anyone who has a tcp access to a machine can send a
> huge amount of invalid ftp request and therefore crashes (or stops) the
> ftp server !!!
>
> Is it a normal behavior ?
Yes, this is normal behavior. Note that inetd doesn't stop the service permanently,
but just for a while (I don't what length of time it uses). This class of attack is
call Denial of Service and is the toughest class of attack to prevent or respond too.
I haven't seen any really good solution. The most common counter measure is to watch
the rate at which incoming requests are being made and if they exceed a threshold then
consider it 'an attack' and ignore packets for such requests. The 'syn flood'
protection built into the linux kernel seems to use this method. I tried to use it but
the particular machine I wished to use it on is a very busy machine, acting as
internet gateway and email server for about 150 client machines. About once a week for
whatever reason activity would hit a peak where this protection would kick in and soon
everyone was calling the sysadmin to complain that the system was down.
--
Jens B. Jorgensen
jjorgens@bdsinc.com
Reply to: