Bug 14298 - rpc.mountd bug (or denial of service attack)
Summary: rpc.mountd bug (or denial of service attack)
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nfs-utils   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Ben Levenson
URL: http://intranet.redhat.com/~kambiz/
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-07-19 21:08 UTC by Kambiz Aghaiepour
Modified: 2007-04-18 16:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-12-24 15:50:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Kambiz Aghaiepour 2000-07-19 21:08:15 UTC
If a mount request comes in from an IP address where the DNS server of the
subnet for the source IP is down or not running named, rpc.mountd freezes
or is greatly slowed down causing all requests to time out (even requests
from IP addresses that resolve properly).

This problem does NOT occur of the DNS server is running, even if the IP
address does not resolve to a name.  In other words, this problem seems to
occur only if the (delegated) name server for the subnet (of the NFS
client) is not running.

I have placed a tar (gz) file with an strace of rpc.mountd, and the output
of a couple of test scripts in the URL: 
http://intranet.redhat.com/~kambiz/  

The tar file contains the following:
NFS-DNS-Issue/
NFS-DNS-Issue/slowmount.sh
NFS-DNS-Issue/NFS_Server_mountd_strace
NFS-DNS-Issue/bouncemount.sh
NFS-DNS-Issue/named.conf
NFS-DNS-Issue/notes
NFS-DNS-Issue/NFS_Client_mount_unmount_via_good_interface
NFS-DNS-Issue/NFS_Client_mount_unmount_via_bad_interface
NFS-DNS-Issue/168.192.in-addr.arpa

The .sh files are my test scripts.  The NFS_* are text files with lots of
information to help demonstrate this problem.

Kambiz

Comment 1 Kambiz Aghaiepour 2000-07-19 21:59:16 UTC
Ok.  I just ran my test on a 7.0 beta system (6.9.2 w/ 2.2.16 kernel and
nfs-utils) in the test lab.  And the problem is identically reproduced.  I've
added an additional tgz file to my intranet page
(http://intranet.redhat.com/~kambiz/) called stuff.tgz which is the named
configuration to go along with the named.conf file in the original tgz file.


Comment 2 Cristian Gafton 2000-08-09 02:34:10 UTC
assigned to johnsonm

Comment 3 Steve Dickson 2002-12-24 15:50:58 UTC
rpc.mountd uses the well defined gethostbyXXX() rouitnes to
resolve addresses and hostnames. Since these routines
are subject to long resolver timeouts, there is not much
rpc.mountd can do to elminate this problem. To avoid
this problem run multiple nameds. 



Note You need to log in before you can comment on or make changes to this bug.