On Fri, 23-Jul-1999 at 14:29:19 +0200, Sheldon Hearn wrote:
>
> [Hijacked from cvs-committers and cvs-all]
>
> On Fri, 23 Jul 1999 11:28:12 +0200, Andre Albsmeier wrote:
>
> > I observed some kind of denial of service on -STABLE: I was
> > playing with the new nmap and did a 'nmap -sU printfix'.
> > inetd was running as "inetd -l" and started sucking all the
> > CPU time even the nmap had been terminated long ago.
>
> What does "sucking all the CPU time" mean? Does it mean that other
> programs were suffering, or does it mean that it was the only
> significant user of CPU and so showed up at close to 100% CPU usage?
>
> I suspect that the latter is true.
It's only nearly 50% because syslogd gets most of the other half :-)
But when inetd is run without -l it get 100%.
> > /var/log/messages file showed zillions of the following lines
> > being added continously:
>
> Well, you did ask for them (inetd -l). :-)
>
> > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: time from [...]
> > Jul 23 11:21:28 <daemon.info> printfix inetd[1743]: daytime from [...]
>
> Usually syslog will give you "last message repeated X times".
> Unfortunately, the alternation of the messages makes this impossible.
>
> David Malone had a few ideas on "clever" handling of UDP. While what
> he suggests might help reduce the number of messages you receive under
> legitimate use, it won't help against DoS, since the sender of packets
> can simply randomize the origin addresses.
>
> > Maybe you got an idea...
>
> I know exactly why you see what you see when you do what you do. All I
> can say is "don't do that", because I can't think of a why to cater for
> what you're doing in a sensible fashion.
I think, I didn't describe the problem clearly so I will try again :-)
1. I run 'nmap -sU printfix' on the 192.168.17.100 machine.
2. After nmap has finished it shows me the open ports.
3. We wait , e.g. 1 minute
4. inetd, which runs with -l, continues logging to syslogd and
never stops. Here is a top snapshot taken one minute later:
last pid: 4040; load averages: 0.96, 0.56, 0.29 up 0+06:19:27 14:56:00
36 processes: 2 running, 34 sleeping
CPU states: 54.3% user, 0.0% nice, 41.9% system, 3.9% interrupt, 0.0% idle
Mem: 8500K Active, 37M Inact, 12M Wired, 3428K Cache, 7592K Buf, 532K Free
Swap: 49M Total, 49M Free
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
3748 root 58 0 956K 704K RUN 0:20 44.97% 44.97% inetd
122 root 2 0 848K 576K select 3:10 36.47% 36.47% syslogd
127 root 2 0 1588K 1228K select 0:05 0.00% 0.00% named
200 root 2 0 876K 524K select 0:02 0.00% 0.00% lpd
132 root 2 -52 1236K 732K select 0:02 0.00% 0.00% xntpd
In case we start inetd without -l, it doesn't log to syslogd anymore
and therefore consumes all the CPU for itself:
last pid: 4397; load averages: 1.59, 1.10, 0.55 up 0+06:22:14 14:58:47
111 processes: 2 running, 109 sleeping
CPU states: 61.2% user, 0.0% nice, 38.0% system, 0.8% interrupt, 0.0% idle
Mem: 10M Active, 30M Inact, 14M Wired, 3776K Cache, 7592K Buf, 3688K Free
Swap: 49M Total, 49M Free
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
4043 root 104 0 956K 740K RUN 1:33 97.66% 97.61% inetd
122 root 2 0 848K 576K select 3:16 0.00% 0.00% syslogd
127 root 2 0 1588K 1228K select 0:05 0.00% 0.00% named
Remember that nmap has finished already a long time ago. I think, inetd
is stuck in some loop which can be terminated only by killing and
restarting it.
-Andre
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
