Slashdot Mirror
Major Unix flaw emerges??
ZDNN has published an article titled: "Major Unix flaw emerges". It talks about
"a new denial-of-service attack". They also running news special about
Linux world (cute logo) and a poll: will MS squash Linux (guess the results..)
this is pretty old news, kinda sad that its finally getting noticed
My crond daemon starts forking until there's no space left on the box. Have to log out of X to free enough processes to kill 117.
Typing rm -rf * as root, mistakes with fork(), etc etc etc. I mean, you don't have these problems on NT, as it just crashes for no apparent reason, so there is no need to worry about paying attention to what you are doing.
Whatever. Yes, its FUD. Do we all need to sit and ponder why? Better to just point and laugh than get mad.
That's so silly. I like the analogy about the gas in the car, though. Design flaw. I hate to throw the term around, but this could be... nah, I'll let someone else say it.
The "problem" quoted here isn't a Unix problem, it's an inetd problem. And it's not new or even newly discovered - I personally read about at least 5 years ago. It's the very reason why xinetd and tcpserver exist.
Personally, I blame crap like this on services like Rootshell and Bugtraq. They mean well, but too many "journalists" troll these for the next big headline grabbing story. I'd love to see a security list/web-site that was close to the press - that would remove the temptation for the grandstanding and posturing that pervades Bugtraq right now.
Since when is this a "new" attack? Its pretty common. Ways around it too.
did anyone else catch that zdnet has the linux 2.2 kernel in their software archive?
Keen!
what a lousy article. except for the mildy tech bit in the middle, it has no consequence in our lives. and that dofus that allowed his name to be used as the finder of that bug, he should just be slapped around until he gets a clue. doesn't sound smart enough to run an isp.
feh
Hmmm... I wonder how many connects I can make to an NT box running IIS before it dies...
El Gardo
Uhm yes... and soon, we'll see a new story: "New DOS attack for Unix! By setting up a client that keeps connecting to the server, you will stop others form connecting!" - doesn't matter what you do, they'll be able to find a negative view on it. And sadly, they won't think that a "Server too busy" message is bad only on UNIX, but totally acceptable on NT. Blah!
Couldn't you just remove finger from the /etc/services and /etc/inetd.conf file. Then the machine would not even listen.
...this is probably _very_ old news but it did quite a job on my system (linux 2.0.34):
main(){while(1){fork();}}
fortunetly I ran it as a user and just had to logon as root and run a massive ps | grep | kill command to kill all the processes off. It was a VERY slow processes to do so though...
Sucks, 'nuf said. Gave up on reading the article after waiting for more than the banners to show up for 2 mins. Stupid site layout pays more attention to getting the ads to you than the content.
correct. source/binary is not on ZDnet. Very
misleading.
I think it was ICMP... Same difference, but in this day and age you may want to block icmp. Especially broadcast packets!
A barely passing troll post.
Comments:
Mentioned Gates +1
Use of word 'crufy' +1
Lack of profanity: -5
Use of conclusory statements
"obviously superior"
without specific details
calculated to draw a response: -10
Overall, a very poor troll post. Try again.
Personally, I would much rather see security bugs posted all over the net (especially sent to the responsible vendors) rather than having these bugs kept secret until the vendor chooses to fix them. Denial-of-service "bugs" are a little different though.
so they are somehow implying that windows NT is not vulnerable to this? why not? couldn't you do the same thing to a non-UNIX server, such as NT or macos?
in fact aren't there MORE things you can do to NT? with the difference that if a flaw is discovered in most UNIXes you can fix the flaw, whereas with propetary OSes you must wait for MS or apple to fix the problem?
silly.
Just for fun, if you have a MS system handy, try the following batch file, and name it "crash.bat":
Contents of "Crash.bat":
start crash.bat
start crash.bat
start crash.bat
It slows it to a crawl, and will probably kill it.
Bugtraq was a good security source. It's now almost completely overrun by publicity-seekers and others who just want to be quoted in a story like this. They know that any drivel they spew there will be a front-page story on ZDN, CMP, or CNET a few hours later.
The only worthwhile things left on Bugtraq are the L0pht advisories.
It has been proven at many levels ranging from the highly theoretical to the highly practical that denial of service attacks, in the general case, are unavoidable in packet-switched networks with untrusted parties (hosts, users, etc.). This was done over twenty years ago.
Denial of service attacks, in and of themselves, simply are not news. If ZD or other mainstream PC press are too clueless to know that, well, then let them say whatever they want; it just reinforces the opinion of those in the know about their level of technical competence.
Where DOS attacks might be news is when they are being used against an important target (e.g., major ISP's core routers) or when the attack is sufficiently easier than the obviously undefendable ones (e.g., teardrop, as compared to data flooding).
So how many people went and looked at that article? A lot more people than would normally read ZD's in-depth reporting, right? It seems to me that a way to dramatically increase your ad hits would be to say something patently stupid about UNIX, get it posted to Slashdot as news, and watch as the Slashdot Effect becomes money in your pocket.
Of course, I'm sure ZD would be totally above doing something like that.
So, what's makes this a "unix-specific" flaw, and not a "stupid server software (for not limiting connections or using threads" flaw? And what makes FUD^H^H^HZDNet so sure this only turns up on Unix? Seems to me that any server that allows you to open connections faster than they time out would be susceptible to this DoS attack. By the way, by default Linux is limited to 256 connections per port, isn't it? So you'd have to be doing this to several ports simultaneously to fill up the process table. Also, doesn't Linux allow you to change the size of the process table, up to 65536 processes (or is that 32768?) Yes, ultimately having a 16-bit process id IS a design flaw, I guess... but try creating that many processes on NT and see what happens!
UNIX and UNIX-like systems (such as Linux) are vulnerable to the problem described: Stupid administrators.
On the other hand, most other OSes are subject to similar attacks -- stupid administration has been known to bring down VMS, VM/CMS, and Apple ProDOS systems as well.
Everything is vulnerable to this. Patches were around over a year ago to reduce the effect by increasing the SYN ACK timeout progressively.
yada yada...
Its a TCP bug not a unix bug. Gosh, its not even a bug, its just the way it is.
And it has nothing to do with "fingering".
Reporters are dumb.
Everything is vulnerable to this. Patches were around over a year ago to reduce the effect by increasing the SYN ACK timeout progressively.
Its a TCP bug not a unix bug. Gosh, its not even a bug, its just the way it is.
And it has nothing to do with "fingering".
Reporters are dumb.
This isn't the one and only Macintosh evangalist, is it?
ZDNET is an organization of f*cking fools!! What
kind of DUMBASS wrote that hunk of shit? FREAKING
losers! I hope they go down with Micros~1(learned
that from a previous post)! I can't believe such
crap even exists. Pathetic Windows users.
P.S. Linux will crush Windows...
Steve
then what?
death or taxes?
I've read this guy's stuff before. He's a worse moron than Katz. The only thing he's an expert on is which hand lotion gives the best feel, if you know what I mean.
Did you read the comment from the redhat spokesperson? It was like "Uh, I've never heard about process table attacks but Linux security holes are usually patched quickly!" Great. I'm sure that's very re-assuring to the corporate suits that the people at Redhat don't know squat and are waiting for the "community" to path a problem with their distro. Can we get someone with a little more knowledge answering this type of questions at Redhat?
wow... shows what you get for reading zdnet!
ok, i'd really like to know how this is a flaw in unix and not the finger daemon (which 9 out of 10 sites have disabled anyway). how many lines of code would it take to make this "denial of service attack" disapear? about as many lines as it would to abuse it error. this boils down to two questions:
1: why dont imap and fingerd have timeouts to begin with?
2: why aren't all zdnet-related posted under the humor icon?
When a Windows bug surfaces, most of you go "giggle, giggle, tee hee, look how crappy Windows is!" But when a UNIX bug appears (or is mentioned for the umpteenth time), it's shrugged off, or screams of "FUD" echo through the pages.
Yeah, I've got Fear, Uncertainty, and Doubt about UNIX, and Linux in particular. Especially when sysadmins say "oh, yeah, I knew about that a year ago. Never got around to fixing it."
Anonymous Coward, wondering when "News for Nerds. Stuff that matters." turned into "Big Linux circle-jerk."
Simpson Garfunkle is the moron behind the "UNIX HATER'S
HANDBOOK", a piece of dead tree that whines and whines
and whines about how UNIX just isn't as good as anything
on the planet.
Garfinkle is an idiot, plain and simple. Unix expert
my ASS.
about 410 with 256mb of ram..
Just posted a comment to ZDNET, but I wonder whether it'll pass the editor. So why not post it on /. as well? Here it comes:
Well, of course the `downfall' of OS/2 was happily and freely aided be the minions of the Microsoft-minded press corps, with many a Ziff-Davis `journalist' in front carrying the waving Windows banner... 'All yeah all yeah, hear what Uncle Bill has to say' was the word, and those who dared to distance themselves from the gospel were soon dispelled as raving loonies who probably even used OS/2 for which no software was available and which would soon be dead anyway. And by the way, next year Microsoft will deliver this fantastic product of which we have a sneak peak (bold type on magazine cover, the more copies to sell) so gawk at that what is to come and do not look left nor right for fear of straying from the true faith...
Now that the majority of the magazine-buying and website-reading public is finally fed up with this everlasting Micromania, suddenly the entire press corps does an about-face, and starts singing praise to the little OS which could (and other cuddly names). Well, that OS has been around for quite some time now folks, it was there when you lauded Bill's next deus-ex-machina, it was to be found around the smoking husks of many a crashed and burned Windows machine, it was there while you were still following the advertisement dollars instead of the gray matter which the creator has endowned you with (or maybe your gray matter told you those dollars were a worthier cause than the eternal search for truth and justice? Hmmmm....)
Why are those same `journalists' (who, by many an ignorant reader, were thought of as `experts' and `professionals', whose guidance was worthy to follow; those same `experts' who led their readers like lambs to the slaughter in a succession of unstable Windows releases...) now suddenly deserting from the Microsoft-camp? Maybe it is the nagging guilt of all those years they publicly cried `witch!' on sight of anything not according to the gospel of Redmond? Or is it just that they realize their credibility has been stretched so far that it now just a gossamer thread, prone to break by any new wind which might happen to blow through the industry? A curious phenomenon it is. Quite funny to watch actually...
Oh, and by the way, should you not have guessed already, I WAS a Teamer. Like many of my former compadres I joined the Linux guerilla when it was young and fresh, ever ready to... fight? No, not that. Just to have a good time. That's what Linux is, OS/2 was, and posting biting comments to websites like these will ever be.
Frank de Lange
(no AC, folks, but d*mn where's that password?)
(PS all you trolls out there... look up the word `satire' in you MS-Encarta 2000 personal professional business enterprise edition before you launch your missiles. Or never mind, they'll crash anyway so let it rip!)
It's not stealing any cpu away from rc5des. It does look like a reboot is in order. It looks like you may be reading off a dos mounted partition... Sometimes it works better to only read from local ext2 stuff. I've had nfs lockup on me a couple of times like this.
Hmm, seems to me that I was having a related problem with inetd that comes in the netkit-base-0.10-13 RPM on the mail server of the ISP that I admin. Every once in a while the POP server would vanish, and in ten minutes come back, and promptly vanish again. After consulting the source I found a limiter of the number of daemons it would spawn in a fixed period of time. This was hardcoded in the source, so after a modify and recompile things were working great. The point of this anecdote is that this 'bug' may already be 'fixed' in (at least the Red Hat) inetd, however in this case the cure was worse than the disease. Anyone else encounter this before?
Just tried that a few times on a Win95OSR2.0
p200/128MB. It would open 3 new windows in a
second, then wait two seconds before opening some
more. I had the system monitor open at the time,
the kernel was going crazy jumping between 100%
and 0%. Memory dipped from 93MB to 68MB before
crash.bat began getting "out of memory" errors,
although one time Windows displayed "system out of
resources". Number of threads went to 230, number
of virtual machines(fancy term for number of
shells open) never went higher than 108. No
bluescreen.. Seemed to handle it somewhat well.
Tried it again on a somewhat less robust original
release win95 486/100/8MB machine that boots into
having a 16 meg swap file. This one opens up about
two boxes for three seconds. At 36 VMs, I get a
white system error box: Windows cannot read from
drive C. I hit cancel and the program continues.
Same error occurs at lucky #42. It keeps giving
me the error every couple of new VMs afterwards,
which I am assuming is due to several programs
trying to write to the swapfile all at once.
By the time it reaches 50 I am getting bored and
want it to be over with quickly so I can finish
this post already. When it reaches 54 my ISP
kills my connection from the first machine
which I'm posting from. Bastards. Needless to
say, the second machine is unusable, but that's
nothing new. However, it does not bluescreen. It
reaches 62 before I shut it off.
Conclusion:
crash.bat is more entertaining than most games
I've bought lately, and far more stable.
Perpetual Newbie
Why not just make a few hacks to inetd that
limits the maximum instances of daemons?
Gee, I guess that makes you pivot man.
Maybe I'm missing something here but after the server does an accept on a socket it can just start a timer and close the socket if there's no activity for n seconds. Seems like a resonable bit of bullet proofing to me.
This can happen with any OS. Seems the big deal is a number of major apps haven't done this simple bit of error checking.
Thats latin for shut up ya face!
You aren't contributing either butthead...
oops, neither am I...
and so the cycle continues.
i mean... the process table may be kernel
but the *server* is software! duh... they could
have at least used the smurf attack or something
for their FUD.
No.. it's called:
/usr/sbin/tcpd in.fingerd
#finger stream tcp nowait root
Only an idiot would leave fingering enabled DoS or no-DoS
It's not possible. A windoze system can have a max of about 99 sockets open at once. And I'm pretty sure that *nix is 32-bit about it's socket and process counters, so those would go up to 2^32. It's just impossible to do that...
That's different. You ran out of *memory* and if crond forked, you would have to kill *each* process.
Any sysadmin who has worked at any reasonably sized ISP has seen this problem years ago. And those with a modicum of competence have formulated ways to deal with it without the need for the OS vendor to take any action. Given enough customers, you will always have the one fool who writes a broken script which ends up doing just what Garfinkel experienced.
One has to question Garfinkel's security and Unix expertise if he was not aware of this issue long ago and was also foolish enough to have had finger open on a customer facing server.
Jim Collins
The cute little poll is not working anymore ...
Maybe a problem with the web server ?
Document contain no DATA.
/. Started to draw the current standard about 9
... If your machine is properly configured
months ago. Once there were real discussions taking place.
The current standard are the trendites, they don't
know what they are talking about.
As for this *Bug*
it should Kill off open connections after a set amount
of time. This is why no one is too bothered about it.
Hmm that sounds familiar
Ahh yah is it
Umm... I seem to remember a problem with wu-ftpd a few weeks ago. The problem wasn't downplayed... it was simply fixed... fast.
Try IPLimit, available from
http://www.jedi.claranet.fr
Windows is every bit as vulnerable to this problem as Unix is.
A point that your article doesn't mention is that this attack is nearly as expensive to the attacker as it is to the victim, because of the shared-text architecture of modern versions of Unix. Furthermore, this attack can be made impossible by a three line change to these kinds of servers. The code would change from something like this:-
to something like this:-
The real problem is that this change must be performed in every single server. Not only that, but there are many points at which the server will wait for further input from the client. The server is vulnerable to this problem at all these points. Many servers, for example Postfix and Sendmail, aready have this problem solved. A second problem is that this is not an issue just for Unix, but for all operating systems which support Internet connectivity. This includes Windows 95 and Windows NT (alias Windows 2000). -- James Youngman.Xinetd will not solve this problem because the server will have been exec()ed already.
Linux "squashed like a bug"? "The big boys" from Redmond?! Ha ha ha. Typical of ZD.
With the M$-vs-DOJ trial underway and many other antitrust lawsuits pending (from Sun, Bristol etc.) M$ can't get away with (most of, soon to be all of) the illegal anti-competitive tactics that previously helped them 'win'. So how *can* they "squash" Linux? Only one way : by making a Windows that's better than Linux. And as we all know, Hell will freeze over before that happens.
oh and I forgot to mention in the first reply to that message... "BeOS won't"?! Says who???
Typical of Ziff-FUDavis.
Hello,
Isn't this like the old C program that will kill some systems but not others
#include
void main()
{
while(1)
{
fork();
}
}
I have triied this on some servers with it not killing the machine and on others it died in seconds.
Actually that isn't so far from the truth...
Take a look at:
http://www.news.com/News/Item/0,4,33117,00.html
Think about it. The problem is the process table can be filled. Should a OS try and service resource requests or limit them. Lets assume it was written differently. Resources ran out when memory runs out, does that make the situation better. The problem is not with unix, the problem is with the server application not limiting resource requests.
Oh and just to add my two cents worth to the shit fight. The difference between NT and Unix, people try and work out why Unix crashes, there tends to be a reason. NT just crashes.
I will admit the number of blue screens has reduced, now it just locks up, runs out of disk space because application ( microsoft produced ) don't destroy temp files, and runs out of memory because of memory leaks. The best mileage I can get with NT is two days.
If you want to make NT reliable unplug the keyboard, real reliable unplug the internet connection, and super reliable, the monitor. Then you don't know or care what it is doing.
You can open connections to the telnet port also and make the telnetd hang by ignoring the telnet protocol packets and make the machine run out of ptys. A couple years ago I did it to spamford wallace's machine a few times until he blocked the port. This is old news.
My workstation at work made it to 289 processes before cratering...
P2-450 with 192megs of memory.
The Artful Dodger (can't remember his password at the moment)
I have put together a daemon I call "pidd" which, basically, monitors the number of pids in use and executes scripts in response to the number of free pid slots crossing certain thresholds. E.G. if the system has fewer than 100 pids left, page me, shut down the sendmail daemon, and block all access from the Internet. Obviously you could do fun things like try to determine who was causing the problem by looking at netstat -a and making packet filtering changes that only affect that address/subnet. Whatever you can think of.
For more info see comp.security.unix or grab the tarball, with sample configs plus email and ipfwadm response scripts, at http://www.clark.net/~peterw/pidd.tar.gz
# ls -l pidd.tar.gz
-rw-r--r-- 1 root root 5483 Mar 4 22:38 pidd.tar.gz
# sum -s pidd.tar.gz
45704 11 pidd.tar.gz
Garfinkel knows security... no doubt. But, IMHO, he has a habit of over-hyping things.
NT drops connections randomly, so it doesn't have this problem.
-- Erich
Slashdot reader since 1997
Is that all Unix can do at once? I'd guess it would be at least 32k. Not that I blame ZD, they do what they can with no knowledge, just pass these "I can shut down the Internet in 2 seconds!" yahoos along.
Couldn't this just be handled by tcpwrappers (or similar) to close a session after 5 minutes of no traffic? Aside from all the usual firewall, tighten security, etc a half-witted system admin would do.
I just said 32k, because that's all the higher I've noticed my Linux box to get in PIDs before starting back at the beginning. But still the point of ZD saying 600 processes is all it takes to kill an ISP is rather amusing. I can't imagine how Slashdot keeps going, surely there's times when there's 600+ users at once.
...but Garfield discovered that the assault can come from the outside.
:)
To run your fork program you'd have to be a user on that machine, and we all know that's old news. But the ground-breaking discovery here is that outside connections use the same process table. All I can say is, WOW. I may just change my ISP to this guy's company if he's so security concious...
Heh, another cute quote I caught while re-reading it: I can shut down any one of their servers on the Net. A mighty bold statement. We need to immediately restructure the entire Internet to resolve this issue, lest we all die a slow and painful death.
And what's with the bit about it taking 10 hours to accomplish this task? Do one connection a minute for 10 hours to get the 600 entries in a process table? I can already see this guy is an experienced sys admin with programming prowess like this.
If I'll bang my forehead at it for two days continuously I can make a hole in it.
Contrary to the popular belief, there indeed is no God.
Posted by Ominous the Foreboding:
My friends and I were using this one on each other back in '93! There are 2 nice ways to fix this one. (a) timeout fingers-n-such after a specified amount of time, and (b) limit the number of each process that inetd will fork. Either one alone can be a pain in the neck if done too tightly, but both done lightly can keep a system up for quite a while!
It is rather obvious that the person writing this knows nothing about unix, and is biased against unix. Look at the way they dismiss the few vender quotes they get, the ignorance of what is really going on. This is journism you expect to see in something one step above the national enquier, not something you expect from a creditable news orginization.
Of course this problem was dismissed be those involed. It is not as serious as you are claiming. Far as I can tell you are saying this is caused by the finger program, which most people consider a security hole anyway, certanitly the administrators who care are security have disabled it. Can it be caused by others? Maybe, but it is no worse then the SYN flood attack that is inhearant in the design of TCP.
When you compile your kernel you can configure how many to allow. The more you allow, the more memory the kernel needs. (real physical memory, and swap both)
For a non-server home machine 600 is pleny of processes. What I want to know is why someone would run a server with a process table that small?
Simson did bring it up in the Saturday technical conference - you must not have been in that session. Also, Simson is coauthor of the O'Reilly book, Practical Unix Security. It's a shame that almost no one seems to have bothered to really look into this story before screaming "FUD."
He coauthored the O'Reilly book Unix Network Security. Also, he didn't badmouth the vendors, he was just covering himself by letting everyone know that he tried (for a year) to warn them before exposing the hole on a public forum. He was at the SANS network security conference in February, and was geniunely concerned with doing the right thing with regards to announcing it.
had info on this last week. Bugtraq had a number of posts about it; check out the archives. And the article on LWN, about the guy posting the 'sploit. Lots of different info on bugtraq.
"shop smart:shop s-mart" ash
Perfect!!!
"shop smart:shop s-mart" ash
Yeah, a lot of boxes don't accept finger queries these days anyhow, and we've got the friggin' proprietary chat programs instead (which run on everything, including Windows) and I'm sure they're just as bad...
:)
It's not hard to set the size of the process table, anyhow, whenever something forks too much you'll get errors, but it won't usually crash a box.
Even NT doesn't always crash in low memory conditions, but good luck getting that memory back!
pb Reply or e-mail; don't vaguely moderate.
...is that it isn't already running on everything! :)
It's called a firewall. ;>
Hehehe. Good one. :)
would cut off a country pretty quick, wouldn't it?
I will never take ZDNet seriously. A year ago they were running unresearched garbage that was almost always at odds with what I've seen from experience (my favorite was an article talking about what a bad OS Linux is, written by an author who had never used it, and using the poor writing on www.linux.org as his primary reference); these days they are printing unresearched garbage that often supports what I've seen, but that doesn't mean they can be seriously.
If they run a front page article on how great Linux is, it will only show that the popularity of Linux has made it easy to write trash favoring it. Asking a three year old for strategic IT information is more likely to get you useful information than reading anything published by ZDNet.
It's "hypocrisy", buttfuck.
If you guys can't bleeding SPELL, how can we count on you to CODE?
Geez!
Brak: What's THAT?
Thundercleese: A light switch.. of TOTAL DEVASTATION!
I tried numerous times to vote on whether M$ would squish li'l ol' linux, but I kept getting "document contains no data." ZD runs NT, don't they?
Hmmmm....
Brak: What's THAT?
Thundercleese: A light switch.. of TOTAL DEVASTATION!
The point is NT spawns new threads, not new processes. And NT doesn't have a fingerd (or a whole lot of other daemons).
Not that I think NT won't suffer from other similar DoS's - I'm sure it will.
--
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Ok - but most Linux installations as they are installed by default have this flaw. That's the point. You could argue that all the IIS bugs have been server software problems not OS problems too. The point is - the problem exists (but at least we'll get a fix quicker than an NT service pack )
--
Matt. Want XML + Apache + Stylesheets? Get AxKit.
The attack sounds much like SYN flood DoS attack that was plugged in 2.0.thirtysomething (35, I guess).
This, and what someone said about ZD having 2.2.0 *now*, make me think we're running time machines on our desks (we're predicting the future, it seems)...
^D
In Soviet Russia, Jesus asks: "What Would You Do?"
Look, just because it's easy to trace doesn't mean this isn't a problem. What if there's a cyberwar - don't laugh, the U.S. government has a team getting ready for it.
DOS attacks like this could cause serious headaches. It's basically impossible to "cut off" a country from the Internet. That means that it would be next to impossible to prevent a mass attack of this sort along with many, many other types of attacks. Net result? It might take 8 hours, but it sure would inconvenience a whole lot of people. This doesn't look like that big a problem, just set some limits, based on the anticipated demands, on how much resource a daemon can take up. We do it for Apache. We should do it for all of these.
My 2c.
--
The real Paul Vallee is slashdot userid 2192, and, what do you mean it's not cool to point out your low userid?
Shouldn't their poll have been, "Will Linux squash Microsoft like a bug?" I'll bet MS would fare worse than Linux has...
Hand me that airplane glue and I'll tell you another story.
Linux 2.2.0 Kernel
The latest Linux kernel is now available for download from ZDNet's Software Library.
Jump right in.
PS : Flaw ?
--= Isn't it surprising how badly I spell ?
Jump right in.
Flaw ?
Let's see. You finger a server and don't close the connection then you finger it again. You keep doing this until the servers process tables overload and it goes under.
There is a simple workaround which is to limit how much resources a daemon can eat up.
It takes 10 hours to bring down a server.
When you do it you can easily be traced by the server admin.
Unix vendors have known about this for years and don't even consider it a problem "[...It's like saying the gas in my car could explode]".
RedHat's Market-Droid had never herd of it but dismissed it in the usual manner "[If there is really a problem it will be fixed quickly]".
There are no real exploits, just an app that went haywire on a client PC and brought down one server at an ISP.
Dose anybody else smell FUD aimed at dampening the "problem" called LinuxWorld ?
PS : "[...]" means it was paraphrased.
--= Isn't it surprising how badly I spell ?
I took them 2 hours to recover from a DOS finger attack?!?! killall -9.... :)
I took them 2 hours to recover from a DOS finger attack?!?!
Ah, blissful ignorance, where hast thou gone?
would this flaw be a problem for openbsd?
---
Apparently there's a major problem in the Unix operating system (guffaw) that allows complete and total morons to make public announcements (particularly reporters already known for their utter cluelessness) about new "denial of service attacks" in Unix which are given wide acceptance for reasons which we have not yet been able to discern. Hopefully sniffing the air for the aroma of fertilizer will give us more clues soon.
This in turn causes hundreds of thousands of people around the globe who are just as clueless to announce that they agree this is a problem and are horrified by it and something must be done immediately.
...which in turn causes the several thousands or so who actually *do* know what the hell they're doing to have to spend the next few days answering email and phone calls, attending meetings, and sending out faxes to people setting them straight and telling them to calm down, instead of doing their normally useful job tasks. This denies many companies the services of their properly employed security administrators.
Remember, folks, just because it's on a web site, doesn't mean it's not complete and utter bulls**t.
Most Unixes have a 16-bit PID (which gives you 32767 PIDs if they're signed quantities (leaving negative numbers for error values) or 65535 PIDs if they're unsigned). In any case, 0 is not a valid PID, and 1 is left for the special init process (either by convention or by design, I'm sure it depends on which OS you're dealing with).
This does not mean you can have 32K simultaneous processes. Linux's default process table has been 512 or 1024 processes, from what I recall, and it's configurable with a #define if you want more.
Also, in response to another person's comment -- # of processes does not translate into # of users. In fact, typical implementations of a number of common daemons service multiple users with a single process. I believe most MUDs are implemented this way.
--
Program Intellivision!
Sure, Unix has work to do to be stable for the next 100 years. I'll buy that. Heck, we'll all complain about the time_t wraparound that occurs in 2038. "Unix... best if used before: Tue Jan 19 03:14:08 2038 UTC" . Nonetheless, Unix has had 30 years to mature, and most of its major problems have been solved (and new problems, as discovered, are addressed fairly quickly). And we all have another 39 years to brace for Unix's flavor of Y2K problem. ;-)
In contrast, Windows NT is still fairly immature, and is growing new code faster than the old code can be fixed. It already has tons of problems, with new problems being added every day -- even faster than old problems are being fixed. When new problems are found in it, we have to wait for Micros~1 to decide when to fix them -- and usually the decision is a marketing based decision, and nothing more.
So which do you choose? 21st Century Problems, or Problems Today (And Forever)?
snicker
PS. I stole someone's 'Micros~1' joke... I like it.
--
Program Intellivision!
So, this guy is supposed to be some sort of Sysadmin? That's just part of running a server, this guy sounds like he has no idea what he's talking about. I'll bet it's a 50/50 Unix/NT shop, and this guy's really the NT admin. It just seems odd to me that he'd badmouth all the vendors because he doesn't know how to run his server.
I came. I saw. I coded.
I ran it on my ol' p60/64MB NT 4.0 machine for kicks. To its credit, it didn't die, but it opened about 300 processes and slowed to a crawl before the OS realized that something was going on and refused to allocate any more resources.
Hehe. The main use of this NT box is for running WhatsUp and Visio. Scotty is neat but the pitchers it makes ain't as pretty.
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
To quote include/linux/tasks.h:
#define NR_TASKS 512 /* On x86 Max 4092, or 4090 w/APM configured. */
Another thing: number of /. "users" != number of processes.
Isn't this just a syn flood? Doesn't linux have syn cookies to avoid filling up the connection table? Yeah, I thought so. I guess this affects /other/ unices.
...Linux!
Andrew
--
"You never know when some crazed rodent with cold feet might be running loose in your pants."
-Calvin
inetd is a mess in that it never checks the process table. i was hit last week with a DoS attack that failed. why? becuase xinetd was set to deny the IP anyhow nd never forked. just flooded my logs with failures, but hey, my machine survived.
linux inetd is, of course, subject to this issue. so just move to xinetd, already. other inetd replacements can also be used to control the number of daemon processes spawned... and you should use them. unfortunately, not everyone has the luxury of implementing firewalls.
i grabbed xinetd from tp://coast.cs.purdue.edu/pub/tool/u nix/xinetd/ and it works like a champ.
jose nazario jose@biocserver.cwru.edu
Any server could be put out of service as long as one does not care about getting traced, and have supperior net connection. That is not a security problem. Every server has a maximun number of simultaionus job i can process, (it doesn't exists any computer with unlimited bandwith and unlimited cpu power). If you have access to "several" good connected sites you can always use up these resources for any site. There is noi possibility to stop this. The important thing is that after the "attac" stops ther server resumes work as usall...
hahahahahahahahahahahahahaha
ow... my stomach hurts! not that I've ever had this problem on my NEW machine -- it usually lasts about 2 weeks or so without rebooting. well it did. now it's gone into the bit bucket with no regrets...
well, not none -- anyone know where you can get a killer flatscreen that works with Linux? and how about drivers for the Creative Labs PC-DVD Encore?
... whereas for microsoft, you can bring it down by doing things you're SUPPOSED to do. like opening MS Word.
you'd think they'd make sure their OWN proucts don't crash their OWN products...
leave it. it crashes.
http://www.zdnet.com/talkback/22 _28402_123746.html
What exactly is the 'Microsoft Standard'? Doesn't this person know that Linux has surpassed Windows in almost every catagory? And I personally don't see anything wrong with the Average User giving Linux a whirl. I think it would be good for them.
Accipiter
(P.S.: Pain in using a computer? If you can't take the heat....)
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
I eagerly await ZDNet's coverage of this new-fangled ``horseless carriage'' contraption.
New DOS attack discovered: parking your car in the middle of the road will clog up traffic.
I've finally had it: until slashdot gets article moderation, I am not coming back.
ZDNEt was able to confirm today that a major design flaw exists in all versions of Windows released to date.
Johnny Doe, a well-known nerd and computer user has told us that any version of Windows can be brought down by a Denial-of-Service attack know as "Normal Use".
"It is too simple", said Doe, "a user would go and start using the machine. It can be done even remotely. In some hours, bingo, there goes Windows south".
Doe said he tried to call Microsoft attention to the problem but failed to get it past the third-shift phone-support supervisor, who told him "And what are the news?".
Although you can't really use it remotely, you can certanly bring it down remotely... :))
...deserves it. 8)
Seriously, though, if he's running an internet-accessible system without proc limits or reasonable timeout values, it's his own damn fault.
It takes all of a minute or two to write a process-reaper, fer Gad's sake.
-- Cerebus
-- Cerebus
I mean... does every troll post have to have some inanity about that F*cking Bill Gates ramming Sh*t down every two bit computer user's throat and a hard whatchamacallit up their *ss's?
Probably not.
The obviously superior OS, and I do mean OS as in "Outdated Software", Win-whatever, runs circles around unix stuff. Yeah, sure.
I mean.. we are talking about windows which runs on today's desktop PC's compared to the unixes which require those large and expensive computing units, right? Can't WE SEE that unix is outdatted?
Probably not.. not with all that sh*t all over the place.
Not only that, but just imagine the benefits of running a truly superior OS like win-something-or-other. You'd never need a UPS(because it wouldn't help you), you wouldn't need an administrator(because anyone can crash it just as easily), you wouldn't need powerful hardware(You'd need EXPENSIVE and VERY VERY Powerful hardware to squeeze ANY performance out of it), and best of all, it's like an STD. Once you've got it, you've pretty much got it for life... and probably where it really hurts.
Now.. compare this to those crufy old useless unix systems. You'll need lot's of backup and UPS's because you'll always have important stuff on those machines. You'd need an administrator who's trained and knowledgable because unix is a software that requires someone who can think behind that keyboard. And you'd better save those pennies, because with only a fraction of the money needed to buy a unix-capable piece of hardware which can outperform win-blows anyday of the week(can't say month since Win-dump won't last that long).
But hey.. go with that unix or linux. Sure as hell won't piss off Billy "boy" gates. But you'll probably make your customers happy. And as any "good"(as defined by MS) knows, that's the LAST thing you should do.
[maybe.. just maybe.. this will get a passing grade. :p]
Disclaimer:
Btw, the above rant does not represent mine or anyone's(as far as I know) perspective about computers, OS's, and the industry. The characters are fictional and any resemblence to real life individuals would be sad.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
Yep, that got done (by students) to my University's main server back in 1994. It took about 15000 connections before the thing froze up, and the auto-kill daemon had it cleared up about 10 minutes later. (Probably would have been faster, but the connections were being respawned when they got killed.) Wasn't even enough to get the admins to yell at us. Anyhow, with 15000 connections to a machine being needed to shut it down, how exactly is this a huge, major scary problem? How many connections does it take to nail NT to the floor? All it means is "When you write a new/replacement daemon, don't forget to drop idle connections" - which many of them do already.
hehe, Apple ProDOS? isn't that what we call the
genuine single-user operating system? Eh, and I'll
have to stop using the top of my system as a
footrest.
Dogma: Dead (mostly because your Karma ran it over)
I can't see why this would affect Unix more than MacOS, WinNT, AmigaOS, BeOS, OS2 or any other operating system at all.
It affects any poorly implemented daemon. Imagine apache forked a new process for every HTTP request. Heh. Now that would suck. All daemons designed to be run by the inetd should check and see how many of the same are already running or, better, we could hack GNU's inetd to allow the user to set a maximum number of fork'ed processes per service.
AFC.
Only it was a batch file that spawned a new command interpreter, to run the same batch file.
Could not click the close buttons fast enough.
Control-Alt-Delete, then selecting shutdown killed them all - eventually.
-josh
Guess what? If you're root, and type rm -rf / you could earase files. There's no warning and no "Are you REALLY REALLY sure?" message!!! Wow!
THIS JUST IN --- Ginsu issued a recall of it's best selling kitchin knife. Apparently, you could cut yourself with it.
Leave it to ZDanything to start a panic.
Hoard food and ammo, Y2K is nigh!
-- What you do today will cost you a day of your life.
one of the canonical texts on Internet/Unix security
In the beginning, there was nothing, and then God said "let there be light" and there was light..
While speaking of canonical texts, let's remember to take them for what you're worth, question our sources, and never let our heroes rest too long on thir laurels. And if they stick their foot in their mouth, let's make sure they know we know.
I wonder how M$NT would stand up to this 'flaw'.
-- What you do today will cost you a day of your life.
Anyone else notice the intelligence of the Poster reflected in the grammar and spelling?
They just had a post on bugtraq about inetd doing this. Its easy to fix, just put an alarm() in the source code if the client doesnt answer in 60 seconds.
bet you I can fix this faster on my linux box with sources then my NT box without..
Microsoft aggravates my tourettes syndrome.
Linux defines in (2.2.x):
/* On x86 Max 4092, or 4090 w/APM configured. */
#define NR_TASKS 512
#define MAX_TASKS_PER_USER (NR_TASKS/2)
#define MIN_TASKS_LEFT_FOR_ROOT 4
The real danger is if you are running stuff as root out of inetd. finger seems to have this problem on RedHat. qmail takes the correct approach: Use timeouts on all I/O, run as a user process only, and use tcpserver instead of inetd to limit number of connections. If you are running stuff out of inetd, make sure it at least uses an inactivity timeout.
In any case, finding the attacker is real easy. It's a suicide crack.
Some individual services may be somewhat lame in this respect, but that hardly makes it a UNIX flaw. It's an application problem.
-- Blame any errors on your own stupidity. All wrongs reserved.
Here's from inetd man page on my RedHat 5.2 server.
"The optional ``max'' suffix (separated from `wait'' or ``nowait'' by a dot) specifies the maximum number of server instances that may be spawned from inetd within an interval of 60 seconds. When omitted, ``max'' defaults to 40."
With a max of 4096 processes, ( I am using a 2.2.x kernel ), a mentioned in a prior reply, it would take well over an hour to complete this kind of attack, but, less if multiple servers are attacked. But is 4096 really the max number? I've seen process ID numbers well over 20000?
ps. why would a "security expert" leave the finger service enabled????????? Heck even I know better..
Personally, I've loathed Ziff-Davis ever since they bought and subsequently folded Creative Computing (remember it?) way back when. It's no wonder they're in bed with Microsoft-- greed is the only language they understand. This kind of FUD doesn't surprise me one bit.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
At the end of the article the author says the the internet wasn't robust enough to handle 21st century problems. WTF is /THAT/ supposed to mean? Just because people can't configure their deamons then the internet isn't working up to spec? Somebody should shake this guy's head for him...
StylishPants.Org - Home of everything that's interesting, and nothing that's not.
IT appears that this is another article looking for an excuse to exist by the Micros~1 media mouthpiece, Ziff-Davis.
This'll be hot news next month in Dvorak's Inside Scoop (or whatever it's called) article.
Jason Dufair
"Those who know don't have the words to tell
Jason Dufair
"Those who know don't have the words to tell
and the ones with the words don't know too w
Actually, I suspect it was sarcastic because it wasn't an AC... but still... Not very good sarcasm either..
AS
AS
-AS
*Pikachu*
There is a revolutionary new bug that has just been discovered, and it affects all M$ windows systems, its called time. And come Jan 1, 2000 this bug is going to cause rampant errors in almost all windows systems. M$ is not currently working on a fix, becuse they plan to have a public beta of Windows 2000 out in December of that year, at the earliest. Comparing bugs is not even fair to microsoft. You have to actually pay for thier product and you expect it to be bug free, Linux you can get for free, and it *IS* bug free (well close enough when you compare the two). OK I'm done now.
There is always a good way to solve that kinda problem. If a cyberwar as you said breaks out, and we need to take down a country's net links its not that hard, we wanna cut off autralia or something we just go and blow the fiber lines or satilite uplinks. Thats why we have real commandoes and not just geeks protecting our country :)
Who waaants..to liiivvveee..foreverrrrrrrrr, Who waaants..to livvveee..foreverrrrrrrr
people, it's conner mccloud of the clan mcloud!!
there can be only one!!
ahh, shit. i've fell to the level of total nerd!
;)
--
perl -e'$_=shift;die eval' '"$^X $0\047\$_=shift;die eval\047 \047$_\047"' at -e line 1.
I'm a diehard IRIX sys admin.
The first thing I do when I walk into work in the
morning is pat my ORIGIN on it's little blue head
then ask it how it's night was.
(that article mentioned IRIX first -- so I'm sticking up for sgi)
The second thing I do is get a coffee and reboot all the 'NT servers'. It's a pathetic OS that is
totally closed...unfortunatly the software we need
only runs on IRIX or NT. Joyus day when I can move
the System32 folder to the Recycle_bin!
to run the God of OSes, MS Windows 2000.
All bow down to the mighty Bill Gates, for
his operating systems are not vulnerable to
these kinds of shenanigans. They are so
obviously superior to that crufty old Unix
stuff, why doesn't everyone run them?
--C
Not only will they not deserve liberty or safety, Mr. Franklin, they will be DENIED both!
Exactly. Bill is your friend. He wants to make
sure you don't get zapped by any of those mealy-
fingered little "linux-hackers" that will be the
ruination of the entire 'net. It stands to reason
that NT should use all your resources, anyway. I
mean, didn't you pay for an OS that would _use_
that machine?
Praise Bill.
--C
Not only will they not deserve liberty or safety, Mr. Franklin, they will be DENIED both!
One doesn't even need a firewall, one just needs to install x-inetd with the 'instances' arguement. Which will limit how many daemons xinetd will spawn per service. I don't know of many ISPs that use inetd these days, almost all have switched to x-inetd for the virtual machine capabilities and the superior logging.
EVER SEEN such a stupid essay. this is truly showing how PATHETICALLY stupid ZDNET is.
lol, "MAJOR UNIX FLAW" LOL, HAHAHAHA god this is hilarious.
Will Microsoft squash Linux like a bug -- or can it stand up to the
big boys from Redmond?
LOL BIG BOYS FROM REDMOND
lol zdnet is so pathetic hhahaahaha
of course they have to be scared too... when microsoft falls over all the way, they will be out of business... sure as hell noone wants them endorsing linux.
he who has the fastest cart always has the best lie.