Majordomo-Workers: Re: multiple lists commands attack --> majordomo vulnerabity?

Majordomo-Workers
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: multiple lists commands attack --> majordomo vulnerabity?
From:	Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date:	31 Oct 1997 10:52:41 -0600
To:	majordomo-workers @ greatcircle . com
In-reply-to:	Marko Hotti's message of Fri, 31 Oct 1997 07:59:46 +0200 (EET)
References:	<Pine.LNX.3.96.971031074404.7285N-100000@lists.oulu.fi>

>>>>> "MH" == Marko Hotti <mhotti@lists.oulu.fi> writes:

MH> The other mailing list server I'm running and administering at the
MH> moment was attacked by some idiot who had sent about 50 subsequent
MH> messages to the majordomo address - each message containing +100 lines
MH> of the majordomo command 'lists'. I'm doing load average checks in my
MH> majordomo scripts but it is needless to say that the system got stuck
MH> for over 8 hours.

Doing load average checks will not always help you, because load averages
always lag behind the true load.  I suppose Majordomo could record a
timestamp and sleep to space it out, but you'd still have the perl
execution and compilation overhead.

In general, if Majordomo gets run at all, you have a potential DOS attack.
Thus I don't see how the general case can be solved within Majordomo.  Of
course, if any code at all gets run, you have a potential DOS attack
because someone can drive up your load just by sending you messages.  I
suppose the goal is to make it so that they have to saturate their pipe
before they saturate your machine.  But then /var is likely to fill up
first....

MH> Currently Majordomo does not do any overall checking on the incoming
MH> command message before starting executing the commands. Maybe we should
MH> find some way to prevent situations like this.

Well, for specific cases I'd refer you back to the discussion Chuq and I
had a while back.  The subject was more along the lines of how to prevent
being used as an accessory in a mailbomb attach (someone forges a From:
header, then makes a big pile of help requests).  The solution we came up
with was to track addresses and clamp down after an address makes too many
requests in too short a period of time.  Perhaps it would be wise to track
all Majordomo invocations (from any address) in the same way, clamping down
if it is run too many times, too quickly.  But then, since it has to start
in the first place, you're going to have the same problem if someone really
hammers you and a bunch of perls get started before any checks are done.

 - J<

References:

multiple lists commands attack --> majordomo vulnerabity?
From: Marko Hotti <mhotti@lists.oulu.fi>

Indexed By Date	Previous:	multiple lists commands attack --> majordomo vulnerabity? From: Marko Hotti <mhotti@lists.oulu.fi>
Indexed By Date	Next:	Re: multiple lists commands attack --> majordomo vulnerabity? From: John R Levine <johnl@iecc.com>
Indexed By Thread	Previous:	multiple lists commands attack --> majordomo vulnerabity? From: Marko Hotti <mhotti@lists.oulu.fi>
Indexed By Thread	Next:	Re: multiple lists commands attack --> majordomo vulnerabity? From: John R Levine <johnl@iecc.com>