Jean-Michel Rouet wrote: > I'm using a debian systems for 3 years or so with no problem at all. But > recently I discovered a rather stranger behavior with inetd and > particularly with ftp > > Imagine that an evil person want to crash your machine sending a lot of > non-authorized ftp requests like this (shell is zsh) > > $ while `true` > $ do > $ lftp -u foo,bar -e ls target-host & > $ done > > after a few loops, the inetd daemon detects a problem and stops the ftp > server. > --> I found this message in the /var/log/daemon.log of the target-host > (in fact localhost :-)) > > Jun 19 14:34:52 joebar inetd[22750]: ftp/tcp server failing (looping), > service terminated > > So as I understand it, anyone who has a tcp access to a machine can send a > huge amount of invalid ftp request and therefore crashes (or stops) the > ftp server !!! > > Is it a normal behavior ?
Yes, this is normal behavior. Note that inetd doesn't stop the service permanently, but just for a while (I don't what length of time it uses). This class of attack is call Denial of Service and is the toughest class of attack to prevent or respond too. I haven't seen any really good solution. The most common counter measure is to watch the rate at which incoming requests are being made and if they exceed a threshold then consider it 'an attack' and ignore packets for such requests. The 'syn flood' protection built into the linux kernel seems to use this method. I tried to use it but the particular machine I wished to use it on is a very busy machine, acting as internet gateway and email server for about 150 client machines. About once a week for whatever reason activity would hit a peak where this protection would kick in and soon everyone was calling the sysadmin to complain that the system was down. -- Jens B. Jorgensen [EMAIL PROTECTED]
