COMMAND

    inetd

SYSTEMS AFFECTED

    SuSE Linux

PROBLEM

    Hendrik Scholz found following.  The inetd.conf starts the  identd
    with the  options -w  -t120 -e.   This means  that the  identd  is
    persistent and  will shut  down after  120 seconds  of idle  time.
    Lets say we start 100 requests in a short period.  Due to the fact
    that it  takes time  to answer  one request  more identd's will be
    started each eating up about 900kb memory and waiting 120  seconds
    before  terminating.   He  tested  this  behaviour  on   different
    machines with different hardware  (RAM, Swap, NIC).   Each machine
    becomes  unusable  after  some  seconds.   This  bug is in _every_
    SuSE Version at least since 4.4.   This ends up happening is  that
    a  master  identd  process  spawns  a  child  for each request and
    you're running into a basic FD-based DoS attack.

    According to inetd's man page:

        The  -t<seconds>  option  is  used  to specify the timeout
        limit. This is the number of seconds a server started with
        the -w flag will wait for new connections before terminat-
        ing. The server is automatically restarted by inetd  when-
        ever a new connection is requested if it has terminated. A
        suitable value for this is 120 (2 minutes),  if  used.  It
        defaults to no timeout (i.e. will wait forever, or until a
        fatal condition occurs in the server).

    This does not  mean that the  server does nothing  until <seconds>
    elapse.   It listen  to requests  and serves  them.   If there  is
    no  request   during  the   <seconds>  period   it  dies.     Many
    inetd-spawned servers do like this (e.g. xtacacsd).  If  something
    is going wrong it is not  related to the -t120 flag.   Maybe inetd
    does not know there is an identd on duty and spawns another copy.

SOLUTION

    It is actually  not inetd who  spawns new processes,  it is really
    the in.identd.   In fact,  inetd has  a fork-resource-limit  built
    in, so that it  will refuse to spawn  new servers if more  than 40
    (by default) requests come in for the same service.  The in.identd
    found  on  the  SuSE  distribution  is  version  2.7.4  of   Peter
    Eriksson's pidentd, and that would fork one process for every  new
    client request as long as it can breath.

    The obvious fix  is to change  the /etc/inetd.conf setting  to "-i
    -e" which SuSE  team will consider.  This uses more  resources (as
    every server started goes through the database reading functions),
    but  is  DoS  attack  safe.   There  are  two  viable  long   term
    solutions.   Either switch  to version  3.x.x of  pidentd, but for
    various reasons we  have not yet  full confidence into  this major
    rewrite, mainly  for warnings  the author  himself has  expressed.
    Please don't get that wrong, this *IS* excellent software. And  in
    terms of resource control this  version is clean.  What  SuSE will
    be providing on  a short term  basis is a  patched 2.7.4 with  the
    resource  control  built  in.  With  that  fix in place it will be
    clean also and can be invoked with "-i", "-w" or "-b" at will.