Subject: admin/11998: Dos Attack using unset(rstatd)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <engino@btl.net>
List: netbsd-bugs
Date: 01/18/2001 23:48:21
>Number:         11998
>Category:       admin
>Synopsis:       Dos Attack using unset(rstatd)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    netbsd-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 18 23:51:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Benjamin Burn
>Release:        1.4.2
>Organization:
Belize Internet Group
>Environment:
NetBSD sys1.belizeinternet.com 1.4.2 NetBSD 1.4.2 (GENERIC) #3: Wed Mar 15 23:41
:54 PST 2000     toddpw@vader.toddpw.net:/usr/src/sys/arch/i386/compile/GENERIC
i386
>Description:
Machine reported mclpool limit reached. So I increased the nmbclusters to 4096 however when rebooted it had the same problem within 5 seconds. I verified that nmbclusters=4096 and shut down all services except telnet. Upon browsing the authlog  this is what I found.

Jan 19 04:26:19 sys1 inetd[19930]: connection from pool-63.49.58.50.tmpa.grid.ne
t, service pop3 (tcp)
Jan 19 04:54:26 sys1 portmap[219]: connect from 127.0.0.1 to unset(rstatd)
Jan 19 04:54:26 sys1 portmap[220]: connect from 127.0.0.1 to set(rstatd)
Jan 19 04:54:26 sys1 portmap[221]: connect from 127.0.0.1 to unset(rstatd)
Jan 19 04:54:26 sys1 portmap[222]: connect from 127.0.0.1 to set(rstatd)
Jan 19 04:54:26 sys1 portmap[223]: connect from 127.0.0.1 to unset(rstatd)
Jan 19 04:54:26 sys1 portmap[224]: connect from 127.0.0.1 to set(rstatd)
Jan 19 04:54:26 sys1 portmap[225]: connect from 127.0.0.1 to unset(rusersd)
Jan 19 04:54:26 sys1 portmap[226]: connect from 127.0.0.1 to set(rusersd)
Jan 19 04:54:26 sys1 portmap[227]: connect from 127.0.0.1 to unset(rusersd)
Jan 19 04:54:26 sys1 portmap[228]: connect from 127.0.0.1 to set(rusersd)
Jan 19 04:54:26 sys1 portmap[229]: connect from 127.0.0.1 to unset(walld)
Jan 19 04:54:26 sys1 portmap[230]: connect from 127.0.0.1 to set(walld)
Jan 19 04:54:30 sys1 inetd[253]: connection from pool-63.49.118.41.bltm.grid.net
, service pop3 (tcp)
Jan 19 04:54:32 sys1 inetd[262]: connection from pool-63.49.4.130.mmph.grid.net,
 service pop3 (tcp)
Jan 19 04:54:45 sys1 inetd[393]: connection from pool-63.49.4.130.mmph.grid.net,
 service pop3 (tcp)
Jan 19 04:54:54 sys1 inetd[395]: connection from 208.144.228.34, service telnet
(tcp)

Machine then Crashed.
Last line in the log file was me trying to login.
>How-To-Repeat:
Don't Know
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: