Bug 57310
| Summary: | Portmap DOS scenario | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Terry Griffin <griffint> |
| Component: | portmap | Assignee: | Trond Eivind Glomsrxd <teg> |
| Status: | CLOSED NOTABUG | QA Contact: | Aaron Brown <abrown> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2001-12-10 04:32:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I don't see this behaviou - it's probably just lots of traffic on your modem line (probing or worse), slowing down everything else. Setting up a firewall is a good idea anyway - try running "lokkit" |
Description of Problem: During my PPP dial-up sessions I'm getting probed by what appear to be compromised Linux boxes. The entries in my log file look like this: Dec 9 20:05:07 chinook portmap[7026]: connect from XXX.XX.XXX.XXX to getport(status): request from unauthorized host After such an event my network operations, particularly DNS lookups, take a very long time to complete, 30 seconds or so for each lookup. Even simple operations like doing an "su" to root are somehow effected by this long timeout. The workaround is to restart portmap. The restart itself can take a very long time but once completed then everything seems to be back to normal. I'm running my own named. I'm blocking outside access with tcpwrappers. I'm not using ipchains to do any firewalling, although it is configure for IP masquerading. How Reproducible: I'm not sure what tool is being used from the scanner's end, but presumably any getport(status) operations on portmap, where portmap is blocked by tcpwrappers, should do the trick. Steps to Reproduce: 1. 2. 3. Actual Results: Long timeouts on network operations. Restart portmap to correct. Expected Results: No change in behavior. Additional Information: