Multiple Platform remote CPU load issue in Samba 1.x and 2.x
James Sutherland
jas88 at cam.ac.uk
Wed Jun 14 18:55:23 GMT 2000
On Thu, 15 Jun 2000, Maulik Desai wrote:
> > From: James Sutherland [mailto:jas88 at cam.ac.uk]
> >
> > To handle a DoS like this, probably the best approach is to
> > stop parsing
> > after a certain number of tries, and just read and discard
> > all the data we
> > are fed? At this point, our load is no greater than the attacker's.
>
> I like this approach. David suggested a similar approach,
> I think.
Looks like this is the option to go for, then? Whose code is this - will
anyone feel they are having their toes trodden on if I take a shot?
> > Question: What does NT do in this event??
>
> I tried this on NT4.0 ws (from RH Linux 6.0, 2.2.5-15) and
> it appears that NT behaves similarly. That is, it only
> replies back once (first time) and after that it never
> replies to subsequent NBT packets. The cpu load on NT
> doesn't go up (just a small spike). On the linux, that
> is what I see:
>
> $ nc -v -v 10.35.20.75 139 < /dev/zero
> ntws [10.35.20.75] 139 (netbios-ssn) open
> send 40960, rcvd 5
> $
>
> Note that 'nc' exits immediately in this case (unlike the samba/linux case).
Yep. Presumably the NT box has now closed the session. This is a slight
vulnerability, I think - could you try a shell script which will run that
command repeatedly, please? (I don't have an NT box to hand ATM)
James.
More information about the samba-technical
mailing list