Multiple Platform remote CPU load issue in Samba 1.x and 2.x

James Sutherland jas88 at
Wed Jun 14 14:47:48 GMT 2000

On Wed, 14 Jun 2000, Gerald Carter wrote:

> "J. Robert von Behren" wrote:
> > 
> > The open question is what the appropriate fix should be.  
> > My thought is to simply track the number of bogus requests 
> > sent to the server, and kill the connection when too 
> > many of them have been seen.
> Just off the top of my head, won't the next bogus request (after being
> dropped) just cause another forked smbd resulting in the same
> behavior?

I think so, which is why we need to do something different - direct
subsequent commands on the duff connection to /dev/null.

> But let's put this into perspective.  Everyone should know that if
> they allow the standard NetBIOS ports through their firewall, the are
> asking for it.  If someone on your internal network does this, you
> yank their network cable for a week minimum and bang on their head
> with a rubber bat. :-)

Yep - except not everyone is behind a decent firewall. Think about
university machines, for example. (Actually, here we are about to start
blocking the NetBIOS ports, but I suspect we are unusual in that respect.)

Worse, plenty of home users will be getting always-on access (DSL, cable
modems, etc) and having Samba running...

> Let's address the risk.  I know the DoS is real, but is it realistic.  
> Just asking.  No flames please.

It's realistic enough we should deal with it as well as possible,
certainly. I don't think it's a major issue, but it should be dealt with.


More information about the samba-technical mailing list