inetd


This is a message I saw on the kernel mailing list:

On Fri, 16 Aug 1996, Klaus Lichtenwalder wrote:

> I have an application that for simplicity backs up new files from a file
> server via rsh. Things thingy stops after a few rsh calls to the remote
> Linux machine. The following message can be found in syslog:
> 
> Aug 16 17:53:59 gaston inetd[73]: shell/tcp server failing (looping),
> service terminated
> 
> Needless to say, the backup scripts then hangs idle.

This is due to inetd killing any port that has more than 40 requests per
minute.

Obviously, this could be a denial of service attack.

evil.com writes a program which, all at once, sends out 40 connection
requests to good.edu's telnet port.  Good.edu's inetd, thinking that
something is broke stops allowing incoming telnets.

While any site with good administrators would be able to fix this problem
in a matter of minutes, this could be a problem for a site which is
normally unattended.

Ideas for solution:

1.  Add a number after nowait for TCP services in /etc/inetd.conf.  This
number represents the max number of requests per minute.  Set it to 32000
or something.  Note that this requires a recent version of inetd.  (I run
1.1)

2.  Block access to all ports except from "trusted sites".  This assumes a
open environment where the network medium is generally trusted.  Note that
IP spoofing attacks can occur if the network is not trusted.

I didn't bring this up to demonstrate an astonishing insight into
security.  Rather, I brought this up to spark some discussion on other
possible attacks, based on this one, as well as solution to these attacks.
Not everyone has the advantage of being able to log onto the console of
every machine they administrate, and the thought of having someone able to
willfully cause me work does not appeal to me.

This affects, at least, Red Hat 3.0.3.  I assume it affects nearly every
distribution.

[REW: I couldn't reproduce the "terminating service" on my slackware
distribution. It seems to have the same 1.1 version of inetd. I suspect
that the machine is too slow to accept more than 40 requests per minute.

I'd rather have the "init" behaviour: "id "c1" respawning too fast:
Disabled for 5 minutes"]