Bug 57660 - xinetd per_source config doesn't function, allows denial of service attack
xinetd per_source config doesn't function, allows denial of service attack
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: xinetd (Show other bugs)
7.3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
Brock Organ
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-12-18 09:32 EST by Daniel Senie
Modified: 2014-08-31 19:24 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-06-06 03:47:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Senie 2001-12-18 09:32:14 EST
Description of Problem:

We use a per_source configuration value in our wu-ftpd config file for 
xinetd. We're trying to prevent denial of service attacks, but we have 
evidence in our logs that a single source IP address can get logged in 
more times than our configuration says they should.

The result is the service is shut down due to excessive connections, and 
we get paged because our FTP service is down.

Version-Release number of selected component (if applicable):

xinetd-2.3.3-1

How Reproducible:


Steps to Reproduce:
1. 
2. 
3. 

Actual Results:


Expected Results:


Additional Information:
	
# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
#       normal, unencrypted usernames and passwords for authentication.
service ftp
{
        disable = no
        instances               = 25
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/in.ftpd
        server_args             = -l -a
        log_on_success          += DURATION
        nice                    = 10
        per_souce               = 3
}
Comment 1 Trond Eivind Glomsrxd 2001-12-18 16:29:06 EST
Can you try the xinetd at http://people.redhat.com/teg/xinetd/?
Comment 2 Daniel Senie 2001-12-27 08:26:46 EST
Please advise as to whether the trial version of xinetd you pointed to is 
stable enough to run on a production web or email server. If so, I'll put it up 
(I guess I also will need to know how to quickly back it out).

I've changed the bug back to ASSIGN for your response. Change it to NEEDINFO if 
you like after responding.
Comment 3 Daniel Senie 2002-01-06 13:16:52 EST
Just a note that we continue to see this issue on production servers. We set 
the FTP service to be limited to 3 connections per source (i.e. per source IP 
address) but xinetd allows connections up to the service limit, then shuts off 
the service by detecting denial of service.

We have NOT tried the trial version as yet. We presently have no testbed for 
reproducing this problem other than high-volume production servers. As such, we 
are not willing to simply put the next (and arguably untested) version of 
Xinetd onto that production environment.

You're so far giving us the choice of:

1. Install an untested version of software which MAY fix the problem, but may 
also introduce other problems, security issues, etc., or,

2. Live with denial of service attacks shutting off services.

We'd really like a fix to this problem. Please advise how much money to send, 
and to where, to get this problem properly fixed, QA'd and an errata produced.
Comment 4 Daniel Senie 2002-06-06 18:48:33 EDT
Still waiting for a response to whether the trial xinetd is, in your 
estimation, a total hack to use only for testing, a stable version you think 
could be safely deployed on a production server with similar level of stability 
to the present version.

I'm happy to test code for you, but you need to be willing to give an opinion 
as to the state of what you're asking me to test. It's been 6 months since I 
asked, though.
Comment 5 Trond Eivind Glomsrxd 2002-06-07 10:42:45 EDT
It should have worked fine. Now, there is a newer version available - the one in
Red Hat Linux 7.3. Give that one a try.
Comment 6 Daniel Senie 2002-06-13 17:39:58 EDT
OK. I've tested the version of xinetd from RedHat 7.3 (xinetd-2.3.4-0.8). The 
per_source feature is not functioning in that version either.

It would be VERY helpful to have per_source, as it would cut down on one type 
of DoS attack.
Comment 7 Mark J. Cox (Product Security) 2003-04-02 06:09:24 EST
moving to version 7.3 (as 7.0 is no longer supported)
Comment 8 Mark J. Cox (Product Security) 2003-04-23 09:12:33 EDT
Errata for xinetd (to version 2.3.11) in progress.
Comment 9 Mark J. Cox (Product Security) 2003-05-30 04:38:53 EDT
An erratum for xinetd taking it to version 2.3.11 is available
http://rhn.redhat.com/errata/RHSA-2003-160.html

Does this fix this issue?
Comment 10 Mark J. Cox (Product Security) 2003-06-06 03:47:03 EDT
Shound be fixed by errata, please reopen this bug if not.
Comment 11 Daniel Senie 2003-06-06 15:57:52 EDT
Sorry for the slow feedback. Recent errata version seems to function properly.

Note You need to log in before you can comment on or make changes to this bug.