Multiple Platform remote CPU load issue in Samba 1.x and 2.x
jas88 at cam.ac.uk
Wed Jun 14 14:44:16 GMT 2000
On Wed, 14 Jun 2000, J. Robert von Behren wrote:
> Hey all -
> I've repeated the test on my box, in addition to tracing through the
> code. Here is what happens:
> 1) netcat (or nc) on the attacker machine makes a connection to port
> 139 on the victim
> 2) smbd on the victim forks another process to handle the new
> 3) the child smbd processes goes into its normal processing loop
> 4) the child correctly identifies the all-zero's message as bogus, and
> sends back an error message to the "client" program (nc in this case)
> The problem is quite simple: smbd allows an infinite number of bogus
> requests to be sent to it. Responding to these bogus requests requires
> string manipulation, memory copying, and network reads/writes. In the
> case of "nc localhost 139 < /dev/zero", the server has to push a lot
> more bytes and do a lot more computation to generate the errors then the
> attacker has to do to generate zeros. Hence, the server load spirals
> out of control, while the attacker is relatively idle. I think this is
> pretty cut and dry.
> The open question is what the appropriate fix should be. My thought is
> to simply track the number of bogus requests sent to the server, and
> kill the connection when too many of them have been seen.
Sounds good to me; one issue we might want to watch for, though, is this:
If we handle X bogus commands, then close the connection, a DoS tool can
just connect, feed us 0s until we close it, then open another connection.
To handle a DoS like this, probably the best approach is to stop parsing
after a certain number of tries, and just read and discard all the data we
are fed? At this point, our load is no greater than the attacker's.
We also need to log the event, so the system admin can investigate if this
becomes a problem.
Question: What does NT do in this event??
More information about the samba-technical