Description of problem:
We have experienced a little DOS attack against our POP3 server.
After lots of TCP connections have been spawned, xinted's DOS protection
Mar 15 20:05:33 de_dusty xinetd: FAIL: pop3 service_limit from=70.90.14.XXX
Mar 15 20:05:33 de_dusty xinetd: EXIT: pop3 status=0 pid=26374
Mar 15 20:05:33 de_dusty xinetd: Deactivating service pop3 due to
excessive incoming connections. Restarting in 30 seconds.
Mar 15 20:05:33 de_dusty xinetd: FAIL: pop3 connections per second
Mar 15 20:05:33 de_dusty xinetd: EXIT: pop3 status=0 pid=26030
Mar 15 20:05:33 de_dusty xinetd: EXIT: pop3 status=0 pid=26031
Mar 15 20:05:34 de_dusty xinetd: EXIT: pop3 status=0 pid=26032
Mar 15 20:05:34 de_dusty xinetd: EXIT: pop3 status=0 pid=26033
Mar 15 20:05:34 de_dusty xinetd: EXIT: pop3 status=0 pid=26034
(Note that the line "pop3 connections per second from=70.90.14.XXX" also seems
to be missing the float saying 'how many connections per second' there were)
After 30, the pop3 service sees a restart attempt, but something clearly goes
wrong after that:
Mar 15 20:06:03 de_dusty xinetd: bind failed (Address already in use
(errno = 98)). service = pop3
Mar 15 20:06:03 de_dusty xinetd: Error activating service pop3
This can only be solved by a restart of xinted.
Could it be that already spawned processes with client sockets are inhibiting
the server socket to be bound?
Version-Release number of selected component (if applicable):
Haven't tried yet; I will have to get some script kiddie tool to simulate this
in my spare time.
Sorry for long silence from Red Hat - requests which go through
redhat.com/support have much more attention.
I am not able to reproduce the bug - my service is correctly re-enabled after 30
seconds. Which pop3 server do you use? AFAIK we provide only cyrus-imap and
dovecot, both running without xinetd. Please provide detailed information,
including your content of /etc/xinetd.d/pop3 file.
I'm using the self-compiled Eudora QPopper behind xinetd. The pop3 is
nothing to write home about:
# default: on
# description: The pop3 server (Eudora QPopper)
# Note that the qpopper runs as 'root' but is chrooted.
flags = REUSE
socket_type = stream
wait = no
user = root
group = root
server = /usr/local/qpopper/sbin/popper
disable = no
# A CPS of 25 seems to be too hot in rare cases
cps = 40 30
only_from = 188.8.131.52 127.0.0.0
This problem hasn't occurred again so far; will have to retest if I get a couple
I do not see anything harmful in your config and I am still not able to
reproduce it (although I did not check Eudora). You can try simple script which
generates some valid POP3 connections in parallel:
USR=<add real user login here>
for i in `seq 50`
( (echo USER $USR; sleep 10; echo QUIT) | nc localhost pop3 ) &
If the bug is reproduceable, please attach a strace of xinetd -d, full content
of /etc/xinetd.d/ and /etc/xinetd.conf
It could also help if you could try to reproduce the bug with newer xinetd (from
Red Hat Enterprise Linux 5 or Fedora >=6)
Thanks in advance
Because no additional information has been provided for a long time and the issue was not reproduced, I'm closing this bug.