Bug 57310 - Portmap DOS scenario
Summary: Portmap DOS scenario
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: portmap (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-12-10 04:32 UTC by Terry Griffin
Modified: 2007-03-27 03:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-12-10 04:32:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Terry Griffin 2001-12-10 04:32:46 UTC
Description of Problem:

During my PPP dial-up sessions I'm getting probed by what appear to
be compromised Linux boxes. The entries in my log file look like this:

    Dec  9 20:05:07 chinook portmap[7026]: connect from XXX.XX.XXX.XXX to
    getport(status): request from unauthorized host

After such an event my network operations, particularly DNS lookups,
take a very long time to complete, 30 seconds or so for each lookup.
Even simple operations like doing an "su" to root are somehow effected
by  this long timeout. The workaround is to restart portmap. The restart
itself can take a very long time but once completed then everything seems
to be back to normal.

I'm running my own named. I'm blocking outside access with tcpwrappers.
I'm not using ipchains to do any firewalling, although it is configure
for IP masquerading.

How Reproducible:

I'm not sure what tool is being used from the scanner's end,
but presumably any getport(status) operations on portmap, where
portmap is blocked by tcpwrappers, should do the trick.

Steps to Reproduce:

Actual Results:

Long timeouts on network operations. Restart portmap to correct.

Expected Results:

No change in behavior.

Additional Information:

Comment 1 Trond Eivind Glomsrxd 2001-12-11 21:16:25 UTC
I don't see this behaviou - it's probably just lots of traffic on your modem
line (probing or worse), slowing down everything else. Setting up a firewall is
a good idea anyway - try running "lokkit"

Note You need to log in before you can comment on or make changes to this bug.