D. J. Bernstein
Other documents

An inetd memory exhaustion attack

My inetd-chew program maintains 30 connections to the finger port on a target host. If a connection dies, it reconnects. It pauses 2 seconds between every connection so that inetd's ``rate-limiting'' features don't kick in.

The amount of virtual memory chewed up by inetd when inetd-chew is running depends on the target operating system. The record is 6MB, achieved by Solaris; 20 copies of inetd-chew eat up 120MB of virtual memory, destroying most other processes on the system. (inetd-chew can also be configured to make more connections from one process, if the local FD_SETSIZE and rlimits are high enough.)

The simplest solution is a concurrency limit, as offered by ucspi-tcp/tcpserver. This is one of the many resource allocation mechanisms available to the UNIX system administrator.

Note that Wietse Venema's tcpd doesn't prevent this attack. Someone as dishonest as Venema would probably publish this as a ``tcpd exploit.'' The truth is that it isn't tcpd's job to impose a concurrency limit.