Re: sudden (and selective) autism

[Nathan E Norman <nnorman@incanus.net>]

On Tue, Apr 29, 2003 at 09:42:11AM -0700, Matt Perry wrote:
> On Sat, 19 Apr 2003, Jim McCloskey wrote:
> 
> > A little checking quickly revealed that the connection requests that
> > were being refused were all and only those dealt with by services
> > started by inetd
>  [snip]
> > The file /etc/inetd.conf seemed unchanged, but the logs had this at 10
> > minute intervals:
> 
> If inetd receives too many connections within a 1 minute period, it will
> cut off service for 10 minutes.  Apparently this is a "feature" to limit
> memory usage or something.  Someone was probably exploiting this to cause
> a DoS on your machine.

The default value for "too many connections" is 40 in a 60 second
period.  For many services (like BOOTP or TFTP on a larger network)
this is not enough.

Fortunately, you can solve this problem in inetd.conf:  append a dot
('.') to the 'wait' or 'nowait' parameter followed by the
max-connections limit.

  wait.240

sets the limit to 240 connections per minute, or 4 per second on
average.

-- 
Nathan Norman - Incanus Networking mailto:nnorman@incanus.net
  Liberty may be endangered by the abuses of liberty as well as by
  the abuses of power.
          -- James Madison