From: Jesse Pollard <jesse@cats-chateau.net>
To: Fredrik Tolf <fredrik@dolda2000.cjb.net>, linux-kernel@vger.kernel.org
Subject: Re: PTY DOS vulnerability?
Date: Tue, 1 Jul 2003 06:57:49 -0500 [thread overview]
Message-ID: <03070106574900.01125@tabby> (raw)
In-Reply-To: <200306301613.11711.fredrik@dolda2000.cjb.net>
On Monday 30 June 2003 09:18, Fredrik Tolf wrote:
> Has someone considered PTYs as a possible attack vector for DOS
> attacks? Correct me if I'm wrong, but cannot someone just open
> all available PTYs on a console-less server and make everyone
> unable to log in?
>
> I mean, what if eg. apache is hacked, and the first thing the
> attacker does is to tie up all PTYs, so that noone can log in to
> correct the situation while the attacker can go about his
> business? Then the only possible solution would be to reboot the
> server, which might very well not be desirable.
>
> If you want proof of concept code, look at
> http://www.dolda2000.cjb.net/~fredrik/ptmx.c
> I successfully ran this on one of my servers which effectively
> disabled anyone from logging in via SSH.
>
> Shouldn't PTYs be a per-user resource limit?
>
> Someone must have thought of this before me, right? How am I
> wrong?
One problem is that ptys are not just "used by the user". Every terminal
window opened uses a pty. As does a network connection.
As does "expect" - which is less visible to the user since it is intended
to be invisible.
The real question is "how many PTYs should a single user have?"
Which then prompts the question "How many concurrent users should there be?"
second, just providing a user limit doesn't prevent a denial of service..
Just have more connections than ptys and you are in the same situation.
next prev parent reply other threads:[~2003-07-01 11:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-30 14:18 PTY DOS vulnerability? Fredrik Tolf
2003-06-30 17:55 ` Alan Cox
2003-06-30 21:31 ` Fredrik Tolf
2003-06-30 21:36 ` Alan Cox
2003-07-01 12:15 ` Jesse Pollard
2003-07-01 13:41 ` Timothy Miller
2003-07-01 6:22 ` Oleg Drokin
2003-07-01 11:57 ` Jesse Pollard [this message]
2003-07-01 19:53 ` Helge Hafting
2003-07-02 6:42 ` Paul Rolland
2003-07-03 1:14 ` Jesse Pollard
2003-07-03 1:52 ` H. Peter Anvin
-- strict thread matches above, loose matches on Subject: below --
2003-07-08 23:11 Clayton Weaver
2003-07-09 10:08 ` Svein Ove Aas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03070106574900.01125@tabby \
--to=jesse@cats-chateau.net \
--cc=fredrik@dolda2000.cjb.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.