Security
cancel
Showing results for 
Search instead for 
Did you mean: 

DoS Attack on Tru64 [was Netstat hangs]

Domaigne
Occasional Visitor

DoS Attack on Tru64 [was Netstat hangs]

Dear Tru64 friends,

I believe, I found now the whole story about that netstat hang problem. And as a by-product, a way of generating a kind of Denial of Service Attack as a simple user.

As far as I can see, this issue applies up to the recent TRU64 5.1B. The file in attachement in a small C program showing the attack. It does nothing but writing to a message queue until the maximal number of outstanding messages system wide is reached.

Then that's it. Every program that uses /rdsym/ -- for instance, the one calling knlist() -- will block. Among others: nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat and xntpd...

They shall block, because it seems that /rdsym/ communicates with /kloadsrv/ via a message queue. Since the queues are "system-wide" full, then /rdsym/ blocks and so does the process calling knlist().

It is not directly a kernel BUG. But a very infortunate design issue. IMHO. Because any "simple" /foobar/ (by "simple", I mean even without any root rights) might easily render the whole system pretty much useless... without a lot of efforts!

This story is an 'aggregation' of various posts that can be found on the Web. I am a bit surprised, but it looks like that nobody did the math so far...

Any comments?

Cheers from the vicinity of Alpha 21164-A
Loic.