This is a message I saw on the kernel mailing list: On Fri, 16 Aug 1996, Klaus Lichtenwalder wrote: > I have an application that for simplicity backs up new files from a file > server via rsh. Things thingy stops after a few rsh calls to the remote > Linux machine. The following message can be found in syslog: > > Aug 16 17:53:59 gaston inetd[73]: shell/tcp server failing (looping), > service terminated > > Needless to say, the backup scripts then hangs idle. This is due to inetd killing any port that has more than 40 requests per minute. Obviously, this could be a denial of service attack. evil.com writes a program which, all at once, sends out 40 connection requests to good.edu's telnet port. Good.edu's inetd, thinking that something is broke stops allowing incoming telnets. While any site with good administrators would be able to fix this problem in a matter of minutes, this could be a problem for a site which is normally unattended. Ideas for solution: 1. Add a number after nowait for TCP services in /etc/inetd.conf. This number represents the max number of requests per minute. Set it to 32000 or something. Note that this requires a recent version of inetd. (I run 1.1) 2. Block access to all ports except from "trusted sites". This assumes a open environment where the network medium is generally trusted. Note that IP spoofing attacks can occur if the network is not trusted. I didn't bring this up to demonstrate an astonishing insight into security. Rather, I brought this up to spark some discussion on other possible attacks, based on this one, as well as solution to these attacks. Not everyone has the advantage of being able to log onto the console of every machine they administrate, and the thought of having someone able to willfully cause me work does not appeal to me. This affects, at least, Red Hat 3.0.3. I assume it affects nearly every distribution. [REW: I couldn't reproduce the "terminating service" on my slackware distribution. It seems to have the same 1.1 version of inetd. I suspect that the machine is too slow to accept more than 40 requests per minute. I'd rather have the "init" behaviour: "id "c1" respawning too fast: Disabled for 5 minutes"]