Red Hat Bugzilla – Bug 57310
Portmap DOS scenario
Last modified: 2007-03-26 23:50:16 EDT
Description of Problem:
During my PPP dial-up sessions I'm getting probed by what appear to
be compromised Linux boxes. The entries in my log file look like this:
Dec 9 20:05:07 chinook portmap: connect from XXX.XX.XXX.XXX to
getport(status): request from unauthorized host
After such an event my network operations, particularly DNS lookups,
take a very long time to complete, 30 seconds or so for each lookup.
Even simple operations like doing an "su" to root are somehow effected
by this long timeout. The workaround is to restart portmap. The restart
itself can take a very long time but once completed then everything seems
to be back to normal.
I'm running my own named. I'm blocking outside access with tcpwrappers.
I'm not using ipchains to do any firewalling, although it is configure
for IP masquerading.
I'm not sure what tool is being used from the scanner's end,
but presumably any getport(status) operations on portmap, where
portmap is blocked by tcpwrappers, should do the trick.
Steps to Reproduce:
Long timeouts on network operations. Restart portmap to correct.
No change in behavior.
I don't see this behaviou - it's probably just lots of traffic on your modem
line (probing or worse), slowing down everything else. Setting up a firewall is
a good idea anyway - try running "lokkit"