Multiple Platform remote CPU load issue in Samba 1.x and 2.x

David Collier-Brown David.Collier-Brown at canada.sun.com
Wed Jun 14 14:16:54 GMT 2000 

"J. Robert von Behren" wrote:
> >
> > The open question is what the appropriate fix should be.
> > My thought is to simply track the number of bogus requests
> > sent to the server, and kill the connection when too
> > many of them have been seen.

>Gerald Carter wrote:
 Just off the top of my head, won't the next bogus request
> (after being dropped) just cause another forked smbd
> resulting in the same behavior?

	Yup!

	One thing we might well do is 
	(1) detect a certain number of bogons/second over 
            a specified period, and then
	(2) stall the sender.

	As all sorts of dumb things can cause shredded
	TCP packets, we do need to make sure this is really
	an attack, not just a buggy client/network.  
	I'd suggest two smb options and a constant:
		attack frequency = <integer bogons/period>
		attack action = <shell command>
	and the constant is the period, say 10 seconds.
	

	My preferred action on getting an attack is
		a) warn the sysadmin via mail
		b) stall the TCP session
	The latter is a mere matter of not reading from
	the socket: this will prevent acks, and the 
	sender will quickly have his window size fall to
	zero. This leaves the session in place for tracing, too.

	It's dangerous, though, to legitimate users on
	badly buggy networks: it probably should only
	be done if attack frequency is explicitly set to
	a non-zero value.

	Optionally we should wait a time period, say 10 minutes,
	and then exit, so as not at allow the attacker to fill
	up our process table.

> Let's address the risk.  I know the DoS is real,
> but is it realistic.  Just asking.  No flames please.

	It's a heavyweight response to a problem that
	may or may not be significant to a chunk of our
	user community...

	If I were to plan on fixing it, I'd make sure I'd
	generalized the fix to allow for recycling it for
	other kinds of attacks...

--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com

More information about the samba-technical mailing list