Multiple Platform remote CPU load issue in Samba 1.x and 2.x

[J. Robert von Behren]

> > The open question is what the appropriate fix should be.
> > My thought is to simply track the number of bogus requests
> > sent to the server, and kill the connection when too
> > many of them have been seen.
> 
> Just off the top of my head, won't the next bogus request
> (after being dropped) just cause another forked smbd
> resulting in the same behavior?

No.  These requests are all coming in on the same tcp connection (hence
they are talking to the same smbd process).  Having an attacker create
many connection attempts to the smbd port is a very different type of
attack.  In that case, the OS's accept() queue would fill, and the
machine would start to drop incoming connections.  The only way to solve
that is with TCP-level packet filtering, to do early drop of the
unwanted connections inside the kernel.  But in any case, this is a very
seperate problem.
 
> But let's put this into perspective.  Everyone should know
> that if they allow the standard NetBIOS ports through
> their firewall, the are asking for it.  If someone on
> your internal network does this, you yank their network
> cable for a week minimum and bang on their head with a
> rubber bat. :-)
> 
> Let's address the risk.  I know the DoS is real,
> but is it realistic.  Just asking.  No flames please.

Mmm...  What about trojan horses behind the firewall (email viruses, and
the like)?  An ftp-bounce attack could also be used to exploit this sort
of a hole.  Also, broken client software could cause this problem too. 
It's so easy to fix, I can't see any reason not to.  ;-)

-Rob