Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/inetd Prevent sending udp data to the obvious bad p...
details: https://anonhg.NetBSD.org/src/rev/77cd8f93d906
branches: trunk
changeset: 471791:77cd8f93d906
user: hwr <hwr%NetBSD.org@localhost>
date: Sun Apr 11 15:40:58 1999 +0000
description:
Prevent sending udp data to the obvious bad ports that are used for
DoS attacks (e.g. looping packets between two echo ports).
This should "fix" PR bin/2455.
Could please anyone with an appropriate "hacker tools" check this?
diffstat:
usr.sbin/inetd/inetd.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 51 insertions(+), 3 deletions(-)
diffs (114 lines):
diff -r 06b5a4669df3 -r 77cd8f93d906 usr.sbin/inetd/inetd.c
--- a/usr.sbin/inetd/inetd.c Sun Apr 11 15:12:49 1999 +0000
+++ b/usr.sbin/inetd/inetd.c Sun Apr 11 15:40:58 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: inetd.c,v 1.46 1999/01/20 09:24:06 mycroft Exp $ */
+/* $NetBSD: inetd.c,v 1.47 1999/04/11 15:40:58 hwr Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -77,7 +77,7 @@
#if 0
static char sccsid[] = "@(#)inetd.c 8.4 (Berkeley) 4/13/94";
#else
-__RCSID("$NetBSD: inetd.c,v 1.46 1999/01/20 09:24:06 mycroft Exp $");
+__RCSID("$NetBSD: inetd.c,v 1.47 1999/04/11 15:40:58 hwr Exp $");
#endif
#endif /* not lint */
@@ -356,6 +356,7 @@
void inetd_setproctitle __P((char *, int));
void initring __P((void));
long machtime __P((void));
+int port_good_dg __P((struct sockaddr *sa));
static int getline __P((int, char *, int));
int main __P((int, char *[], char *[]));
@@ -392,6 +393,14 @@
{ NULL }
};
+/* list of "bad" ports. I.e. ports that are most obviously used for
+ * "cycling packets" denial of service attacks. See /etc/services.
+ * List must end with port number "0".
+ */
+
+u_int16_t bad_ports[] = { 7, 9, 13, 19, 37, 0};
+
+
#define NUMINT (sizeof(intab) / sizeof(struct inent))
char *CONFIG = _PATH_INETDCONF;
char **Argv;
@@ -1709,7 +1718,8 @@
size = sizeof(sa);
if ((i = recvfrom(s, buffer, sizeof(buffer), 0, &sa, &size)) < 0)
return;
- (void) sendto(s, buffer, i, 0, &sa, sizeof(sa));
+ if (port_good_dg(&sa))
+ (void) sendto(s, buffer, i, 0, &sa, sizeof(sa));
}
/* ARGSUSED */
@@ -1806,6 +1816,9 @@
if (recvfrom(s, text, sizeof(text), 0, &sa, &size) < 0)
return;
+ if (!port_good_dg(&sa))
+ return;
+
if ((len = endring - rs) >= LINESIZ)
memmove(text, rs, LINESIZ);
else {
@@ -1867,6 +1880,8 @@
size = sizeof(sa);
if (recvfrom(s, (char *)&result, sizeof(result), 0, &sa, &size) < 0)
return;
+ if (!port_good_dg(&sa))
+ return;
result = machtime();
(void) sendto(s, (char *) &result, sizeof(result), 0, &sa, sizeof(sa));
}
@@ -1903,6 +1918,8 @@
size = sizeof(sa);
if (recvfrom(s, buffer, sizeof(buffer), 0, &sa, &size) < 0)
return;
+ if (!port_good_dg(&sa))
+ return;
len = snprintf(buffer, sizeof buffer, "%.24s\r\n", ctime(&clock));
(void) sendto(s, buffer, len, 0, &sa, sizeof(sa));
}
@@ -2222,3 +2239,34 @@
return (result);
}
#endif
+
+/*
+ * check if the port where send data to is one of the obvious ports
+ * that are used for denial of service attacks like two echo ports
+ * just echoing data between them
+ */
+int port_good_dg(struct sockaddr *sa)
+{
+ struct sockaddr_in *sin;
+ u_int16_t port;
+ int i,bad;
+
+ bad=0;
+
+ sin=(struct sockaddr_in *)sa;
+ port=ntohs(sin->sin_port);
+
+ for(i=0;bad_ports[i]!=0;i++)
+ if (port==bad_ports[i]) {
+ bad=1;
+ break;
+ }
+
+ if (bad) {
+ syslog(LOG_WARNING,"Possible DoS attack from %s, Port %d",
+ inet_ntoa(sin->sin_addr),port);
+ return (0);
+ } else
+ return (1);
+}
+
Home |
Main Index |
Thread Index |
Old Index