Red Hat Bugzilla – Bug 12779
bug in rdate server and very easy DoS attack
Last modified: 2008-05-01 11:37:56 EDT
I'm running a RH6.2 Linux box called ``bunker'' with
time stream tcp nowait root internal
bunker is used by other hosts on the LAN to get a correct
time with rdate (Solaris and Linux rdate clients running
``rdate bunker'' in a cron).
Looking at open files (with /usr/sbin/lsof) you can see a
new entry at each connection of a client.
inetd 3163 root 11u IPv4 403354 TCP
After some time the table of open files is full and other
applications stop working properly (syslog, cvs server (connection
reset by server: too many open files) resulting in typical denial
of service attack possibility.
Reproduce it by running on the server:
watch "/usr/sbin/lsof |grep time |wc -l"
and on a client
while true; do rdate bunker; done
[As a fix I thought that the socket should close itself when
the client calls close() or when the client process exits.
This does not happen and it seems there's no timeout on server
side socket open in TCP_WAIT state.]
Submitted a CERT vulnerability report
*** This bug has been marked as a duplicate of 14876 ***