Red Hat Bugzilla – Bug 57660
xinetd per_source config doesn't function, allows denial of service attack
Last modified: 2014-08-31 19:24:08 EDT
Description of Problem:
We use a per_source configuration value in our wu-ftpd config file for
xinetd. We're trying to prevent denial of service attacks, but we have
evidence in our logs that a single source IP address can get logged in
more times than our configuration says they should.
The result is the service is shut down due to excessive connections, and
we get paged because our FTP service is down.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
disable = no
instances = 25
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION
nice = 10
per_souce = 3
Can you try the xinetd at http://people.redhat.com/teg/xinetd/?
Please advise as to whether the trial version of xinetd you pointed to is
stable enough to run on a production web or email server. If so, I'll put it up
(I guess I also will need to know how to quickly back it out).
I've changed the bug back to ASSIGN for your response. Change it to NEEDINFO if
you like after responding.
Just a note that we continue to see this issue on production servers. We set
the FTP service to be limited to 3 connections per source (i.e. per source IP
address) but xinetd allows connections up to the service limit, then shuts off
the service by detecting denial of service.
We have NOT tried the trial version as yet. We presently have no testbed for
reproducing this problem other than high-volume production servers. As such, we
are not willing to simply put the next (and arguably untested) version of
Xinetd onto that production environment.
You're so far giving us the choice of:
1. Install an untested version of software which MAY fix the problem, but may
also introduce other problems, security issues, etc., or,
2. Live with denial of service attacks shutting off services.
We'd really like a fix to this problem. Please advise how much money to send,
and to where, to get this problem properly fixed, QA'd and an errata produced.
Still waiting for a response to whether the trial xinetd is, in your
estimation, a total hack to use only for testing, a stable version you think
could be safely deployed on a production server with similar level of stability
to the present version.
I'm happy to test code for you, but you need to be willing to give an opinion
as to the state of what you're asking me to test. It's been 6 months since I
It should have worked fine. Now, there is a newer version available - the one in
Red Hat Linux 7.3. Give that one a try.
OK. I've tested the version of xinetd from RedHat 7.3 (xinetd-2.3.4-0.8). The
per_source feature is not functioning in that version either.
It would be VERY helpful to have per_source, as it would cut down on one type
of DoS attack.
moving to version 7.3 (as 7.0 is no longer supported)
Errata for xinetd (to version 2.3.11) in progress.
An erratum for xinetd taking it to version 2.3.11 is available
Does this fix this issue?
Shound be fixed by errata, please reopen this bug if not.
Sorry for the slow feedback. Recent errata version seems to function properly.