The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


News DoS using sendsys


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 26 Aug 1998 14:27:01 -0400
From: "Forrest J. Cavalier III" <[email protected]>
To: [email protected]
Subject: Re: News DoS using sendsys

From:          Walter Hafner <[email protected]>

> Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
> per day. The addresses of the people requesting the sendsys seem to be
> completely random. They all seem to be normal user-accounts. We see
> these sendsys requests for about a week now.

Part I: sendsys mailbombing
---------------------------
The "From" addresses are all probably forged addresses.  The sendsys
message was sent from elsewhere to mailbomb the "From" address.
Hundreds of sites around the internet will process the requests and
generate one piece of mail each to the apparent originator.

Disabling automatic sendsys processing is appropriate, as suggested.
However....

Part II: the Denial of Service
------------------------------
INN processes control messages, including sendsys, by spawning a
shell process, which in turn spawns numerous shell and other
processes which decide what action to take with the message.

A typical Usenet machine receives hundreds of messages per
minute.  Control messages are processed as they arrive, rather
than waiting for the previous one to finish processing, it
is possible to cause a machine load to skyrocket in short
order.

news.software.nntp has recently had a discussion on this topic.
There is a third-party patch to "serialize" control message processing,
which also more efficiently ignores messages, as it doesn't require
the same shell-script processing.)

Depending on the flavor of message filter you are using, you may
be able to block control messages from being accepted.

All stock versions of INN, from 1.4 (and perhaps earlier) to INN 2.1 are
vulnerable.  Current INN 2.x snapshots have an option to serialize
control message processing, I believe.

> Fortunately, this DoS is very easy to stop: Just make sure, that the
> Newsserver doesn't reply to a 'sendsys' automatically.

That removes the mailbombing characteristic, but only partially
helps with the system load.

Forrest J. Cavalier III, Mib Software, INN customization and consulting
'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: Free access!
   http://www.mibsoftware.com/innsup.htm

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру