Bug 57310 - Portmap DOS scenario
Summary: Portmap DOS scenario
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: portmap
Version: 7.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact: Aaron Brown
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-12-10 04:32 UTC by Terry Griffin
Modified: 2007-03-27 03:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-12-10 04:32:51 UTC
Embargoed:


Attachments (Terms of Use)

Description Terry Griffin 2001-12-10 04:32:46 UTC
Description of Problem:

During my PPP dial-up sessions I'm getting probed by what appear to
be compromised Linux boxes. The entries in my log file look like this:

    Dec  9 20:05:07 chinook portmap[7026]: connect from XXX.XX.XXX.XXX to
    getport(status): request from unauthorized host

After such an event my network operations, particularly DNS lookups,
take a very long time to complete, 30 seconds or so for each lookup.
Even simple operations like doing an "su" to root are somehow effected
by  this long timeout. The workaround is to restart portmap. The restart
itself can take a very long time but once completed then everything seems
to be back to normal.

I'm running my own named. I'm blocking outside access with tcpwrappers.
I'm not using ipchains to do any firewalling, although it is configure
for IP masquerading.

How Reproducible:

I'm not sure what tool is being used from the scanner's end,
but presumably any getport(status) operations on portmap, where
portmap is blocked by tcpwrappers, should do the trick.

Steps to Reproduce:
1. 
2. 
3. 

Actual Results:

Long timeouts on network operations. Restart portmap to correct.

Expected Results:

No change in behavior.

Additional Information:

Comment 1 Trond Eivind Glomsrxd 2001-12-11 21:16:25 UTC
I don't see this behaviou - it's probably just lots of traffic on your modem
line (probing or worse), slowing down everything else. Setting up a firewall is
a good idea anyway - try running "lokkit"


Note You need to log in before you can comment on or make changes to this bug.