Multiple Platform remote CPU load issue in Samba 1.x and 2.x
Christopher R. Hertel
crh at nts.umn.edu
Wed Jun 14 17:54:10 GMT 2000
> I think there is a bit of confusion on this point. nc/netcat will
> create _exactly one_ tcp connection to the specified port, and then dump
> stuff at it.
Right, but if it's really an attack then it's not a far stretch to open
multiple connects.
> Hence, in the ps output you showed below, there were only
> two smbd processes - the listener, and the one processing the bogus
> commands. Recognizing and handling bogus commands requires user-level
> parsing of incoming data, and hence should be handled by the child smbd
> process. Doing early drop of spurious _connections_ is an entirely
> different issue, and should be handled differently.
Okay. So you're suggesting that the primary smbd process check for bogus
connects. Makes sense, I suppose, but there are a few things to work
around. For example, the TCP and IP headers may all be legit, but the
SMB content may be garbage. You have to do at least minimal parsing of
the packet content to know if it's reasonable.
> Unfortunately, dealing with DOS attacks that create _many_ connections
> are much more difficult to thwart. The only true way to thwart these is
> to have the kernel do IP-address filtering (similar to tcpd), and drop
> any connections from hosts that are determined to be bad citizens.
My gut reaction is that such policy should be implemented outside of
Samba, but then I'm not sure how something like ip-filter would be able to
tell that the connection was bogus.
> If we have to fork another smbd process before this drop can occur, then
> we will have already lost this battle, as an attacker could easily cause
> us to spawn an ulimited number of smbd processes (or simply use all
> available smbd processes up with bogus connections).
Yep.
> For our purposes, I think the best we can hope for is to keep track of
> IP addresses that are causing problems, and blacklist them for a time.
> A policy like "after N bogus connections from a host, drop new
> connections from that host for M minutes" would do the trick. "bogus
> connections" would be defined as connections that had to be killed b/c
> of too many bad SMB commands.
Have to think about that. At first glance it makes me feel uneasy.
Chris -)-----
--
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
Ideals are like stars; you will not succeed in touching them
with your hands...you choose them as your guides, and following
them you will reach your destiny. --Carl Schultz
More information about the samba-technical
mailing list