From matthias.andree@web.de  Mon Jan  7 17:22:11 2002
Return-Path: <matthias.andree@web.de>
Received: from krusty.e-technik.uni-dortmund.de (krusty.E-Technik.Uni-Dortmund.DE [129.217.163.1])
	by hub.freebsd.org (Postfix) with ESMTP id BE81737B400
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Jan 2002 17:22:10 -0800 (PST)
Received: from emma1.emma.line.org (krusty.dt.e-technik.uni-dortmund.de [129.217.163.1])
	by krusty.e-technik.uni-dortmund.de (Postfix) with ESMTP id 06505A3826
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Jan 2002 02:22:06 +0100 (CET)
Received: from freebsd.emma.line.org (freebsd.emma.line.org [192.168.0.4])
	by emma1.emma.line.org (Postfix) with ESMTP id 26F3AA200B
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Jan 2002 01:48:54 +0100 (CET)
Received: by freebsd.emma.line.org (Postfix, from userid 500)
	id 2124F2D328; Mon,  7 Jan 2002 23:40:55 +0100 (CET)
Message-Id: <20020107224055.2124F2D328@freebsd.emma.line.org>
Date: Mon,  7 Jan 2002 23:40:55 +0100 (CET)
From: Matthias Andree <matthias.andree@web.de>
Reply-To: Matthias Andree <matthias.andree@web.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: default inetd install allows for unlimited resource use
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         33670
>Category:       conf
>Synopsis:       default inetd install allows for unlimited resource use
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 07 17:30:00 PST 2002
>Closed-Date:    Mon Sep 27 18:46:54 GMT 2004
>Last-Modified:  Mon Sep 27 18:46:54 GMT 2004
>Originator:     Matthias Andree
>Release:        FreeBSD 4.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD freebsd.emma.line.org 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #0: Thu Jan 3 16:41:15 CET 2002 root@freebsd.emma.line.org:/usr/src/sys/compile/M2A2 i386


	
>Description:
By default, FreeBSD runs inetd. While the FreeBSD implementation of
inetd has an outstanding feature set, regretfully, this is not used to
protect a system to the full extent.

Daniel J. Bernstein, like him or not, describes an attack on inetd,
http://cr.yp.to/docs/inetd.c, which can be refined and used against
FreeBSD.

However, unlike many other inetd implementations, FreeBSD's HAS the
ability to limit the total number of connections per service, by means
of the -c option, but this is not currently used.
	
>How-To-Repeat:
Connect, but do not release, connections just below the maximum
connect/minute rate.
	
>Fix:
I'm not sure if it's sufficient, but it looks as though changing
inetd_flags in /etc/defaults/rc.conf to "-wWc20" might help, no more
than 20 servers per service could be running at the same time.
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Tue Jan 8 10:52:12 PST 2002 
Responsible-Changed-Why:  
I'll take a look at this, as inetd is my problem. 

While making making "-c 20" would protect people against such attacks, 
I'd be worried about it upsetting people who run inetd at big sites. 
Maybe we should run it by freebsd-stable and freebsd-audit and see what 
the general opinion is? 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33670 

From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/33670
Date: Mon, 27 Sep 2004 20:34:43 +0200

 The Center for Internet Security's FreeBSD benchmark (available from
 http://www.cisecurity.org/) recommends -C60.  I suggest we do the
 same, if only to avoid confusing users.
 
 DES
 --=20
 Dag-Erling Sm=F8rgrav - des@des.no
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Sep 27 18:46:53 GMT 2004 
State-Changed-Why:  
This was fixed in 5.x last september, and I just merged the patch to 4.x 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33670 
>Unformatted:
