Multiple Platform remote CPU load issue in Samba 1.x and 2.x

James Sutherland jas88 at
Wed Jun 14 18:55:23 GMT 2000

On Thu, 15 Jun 2000, Maulik Desai wrote:
> > From: James Sutherland [mailto:jas88 at]
> >
> > To handle a DoS like this, probably the best approach is to 
> > stop parsing
> > after a certain number of tries, and just read and discard 
> > all the data we
> > are fed? At this point, our load is no greater than the attacker's.
> I like this approach. David suggested a similar approach, 
> I think.

Looks like this is the option to go for, then? Whose code is this - will
anyone feel they are having their toes trodden on if I take a shot?

> > Question: What does NT do in this event??
> I tried this on NT4.0 ws (from RH Linux 6.0, 2.2.5-15) and 
> it appears that NT behaves similarly. That is, it only 
> replies back once (first  time) and after that it never 
> replies to subsequent NBT packets. The  cpu load on NT 
> doesn't go up (just a small spike). On the linux, that 
> is what I see:
> $ nc -v -v 139 < /dev/zero
>   ntws [] 139 (netbios-ssn) open
>    send 40960, rcvd 5
> $
> Note that 'nc' exits immediately in this case (unlike the samba/linux case).

Yep. Presumably the NT box has now closed the session. This is a slight
vulnerability, I think - could you try a shell script which will run that
command repeatedly, please? (I don't have an NT box to hand ATM)


More information about the samba-technical mailing list