Bug 14298 - rpc.mountd bug (or denial of service attack)
rpc.mountd bug (or denial of service attack)
Product: Red Hat Linux
Classification: Retired
Component: nfs-utils (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Steve Dickson
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2000-07-19 17:08 EDT by Kambiz Aghaiepour
Modified: 2007-04-18 12:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-12-24 10:50:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kambiz Aghaiepour 2000-07-19 17:08:15 EDT
If a mount request comes in from an IP address where the DNS server of the
subnet for the source IP is down or not running named, rpc.mountd freezes
or is greatly slowed down causing all requests to time out (even requests
from IP addresses that resolve properly).

This problem does NOT occur of the DNS server is running, even if the IP
address does not resolve to a name.  In other words, this problem seems to
occur only if the (delegated) name server for the subnet (of the NFS
client) is not running.

I have placed a tar (gz) file with an strace of rpc.mountd, and the output
of a couple of test scripts in the URL: 

The tar file contains the following:

The .sh files are my test scripts.  The NFS_* are text files with lots of
information to help demonstrate this problem.

Comment 1 Kambiz Aghaiepour 2000-07-19 17:59:16 EDT
Ok.  I just ran my test on a 7.0 beta system (6.9.2 w/ 2.2.16 kernel and
nfs-utils) in the test lab.  And the problem is identically reproduced.  I've
added an additional tgz file to my intranet page
(http://intranet.redhat.com/~kambiz/) called stuff.tgz which is the named
configuration to go along with the named.conf file in the original tgz file.
Comment 2 Cristian Gafton 2000-08-08 22:34:10 EDT
assigned to johnsonm
Comment 3 Steve Dickson 2002-12-24 10:50:58 EST
rpc.mountd uses the well defined gethostbyXXX() rouitnes to
resolve addresses and hostnames. Since these routines
are subject to long resolver timeouts, there is not much
rpc.mountd can do to elminate this problem. To avoid
this problem run multiple nameds. 

Note You need to log in before you can comment on or make changes to this bug.