Bug 57660 - xinetd per_source config doesn't function, allows denial of service attack
Summary: xinetd per_source config doesn't function, allows denial of service attack
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: xinetd   
(Show other bugs)
Version: 7.3
Hardware: i686 Linux
Target Milestone: ---
Assignee: Jay Fenlason
QA Contact: Brock Organ
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-12-18 14:32 UTC by Daniel Senie
Modified: 2014-08-31 23:24 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-06-06 07:47:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Daniel Senie 2001-12-18 14:32:14 UTC
Description of Problem:

We use a per_source configuration value in our wu-ftpd config file for 
xinetd. We're trying to prevent denial of service attacks, but we have 
evidence in our logs that a single source IP address can get logged in 
more times than our configuration says they should.

The result is the service is shut down due to excessive connections, and 
we get paged because our FTP service is down.

Version-Release number of selected component (if applicable):


How Reproducible:

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information:
# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
#       normal, unencrypted usernames and passwords for authentication.
service ftp
        disable = no
        instances               = 25
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/in.ftpd
        server_args             = -l -a
        log_on_success          += DURATION
        nice                    = 10
        per_souce               = 3

Comment 1 Trond Eivind Glomsrxd 2001-12-18 21:29:06 UTC
Can you try the xinetd at http://people.redhat.com/teg/xinetd/?

Comment 2 Daniel Senie 2001-12-27 13:26:46 UTC
Please advise as to whether the trial version of xinetd you pointed to is 
stable enough to run on a production web or email server. If so, I'll put it up 
(I guess I also will need to know how to quickly back it out).

I've changed the bug back to ASSIGN for your response. Change it to NEEDINFO if 
you like after responding.

Comment 3 Daniel Senie 2002-01-06 18:16:52 UTC
Just a note that we continue to see this issue on production servers. We set 
the FTP service to be limited to 3 connections per source (i.e. per source IP 
address) but xinetd allows connections up to the service limit, then shuts off 
the service by detecting denial of service.

We have NOT tried the trial version as yet. We presently have no testbed for 
reproducing this problem other than high-volume production servers. As such, we 
are not willing to simply put the next (and arguably untested) version of 
Xinetd onto that production environment.

You're so far giving us the choice of:

1. Install an untested version of software which MAY fix the problem, but may 
also introduce other problems, security issues, etc., or,

2. Live with denial of service attacks shutting off services.

We'd really like a fix to this problem. Please advise how much money to send, 
and to where, to get this problem properly fixed, QA'd and an errata produced.

Comment 4 Daniel Senie 2002-06-06 22:48:33 UTC
Still waiting for a response to whether the trial xinetd is, in your 
estimation, a total hack to use only for testing, a stable version you think 
could be safely deployed on a production server with similar level of stability 
to the present version.

I'm happy to test code for you, but you need to be willing to give an opinion 
as to the state of what you're asking me to test. It's been 6 months since I 
asked, though.

Comment 5 Trond Eivind Glomsrxd 2002-06-07 14:42:45 UTC
It should have worked fine. Now, there is a newer version available - the one in
Red Hat Linux 7.3. Give that one a try.

Comment 6 Daniel Senie 2002-06-13 21:39:58 UTC
OK. I've tested the version of xinetd from RedHat 7.3 (xinetd-2.3.4-0.8). The 
per_source feature is not functioning in that version either.

It would be VERY helpful to have per_source, as it would cut down on one type 
of DoS attack.

Comment 7 Mark J. Cox 2003-04-02 11:09:24 UTC
moving to version 7.3 (as 7.0 is no longer supported)

Comment 8 Mark J. Cox 2003-04-23 13:12:33 UTC
Errata for xinetd (to version 2.3.11) in progress.

Comment 9 Mark J. Cox 2003-05-30 08:38:53 UTC
An erratum for xinetd taking it to version 2.3.11 is available

Does this fix this issue?

Comment 10 Mark J. Cox 2003-06-06 07:47:03 UTC
Shound be fixed by errata, please reopen this bug if not.

Comment 11 Daniel Senie 2003-06-06 19:57:52 UTC
Sorry for the slow feedback. Recent errata version seems to function properly.

Note You need to log in before you can comment on or make changes to this bug.