From: Jesse Pollard <jesse@cats-chateau.net>
To: Fredrik Tolf <fredrik@dolda2000.cjb.net>, linux-kernel@vger.kernel.org
Subject: Re: PTY DOS vulnerability?
Date: Tue, 1 Jul 2003 06:57:49 -0500 [thread overview]
Message-ID: <03070106574900.01125@tabby> (raw)
In-Reply-To: <200306301613.11711.fredrik@dolda2000.cjb.net>
On Monday 30 June 2003 09:18, Fredrik Tolf wrote:
> Has someone considered PTYs as a possible attack vector for DOS
> attacks? Correct me if I'm wrong, but cannot someone just open
> all available PTYs on a console-less server and make everyone
> unable to log in?
>
> I mean, what if eg. apache is hacked, and the first thing the
> attacker does is to tie up all PTYs, so that noone can log in to
> correct the situation while the attacker can go about his
> business? Then the only possible solution would be to reboot the
> server, which might very well not be desirable.
>
> If you want proof of concept code, look at
> http://www.dolda2000.cjb.net/~fredrik/ptmx.c
> I successfully ran this on one of my servers which effectively
> disabled anyone from logging in via SSH.
>
> Shouldn't PTYs be a per-user resource limit?
>
> Someone must have thought of this before me, right? How am I
> wrong?
One problem is that ptys are not just "used by the user". Every terminal
window opened uses a pty. As does a network connection.
As does "expect" - which is less visible to the user since it is intended
to be invisible.
The real question is "how many PTYs should a single user have?"
Which then prompts the question "How many concurrent users should there be?"
second, just providing a user limit doesn't prevent a denial of service..
Just have more connections than ptys and you are in the same situation.
next prev parent reply other threads:[~2003-07-01 11:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-30 14:18 PTY DOS vulnerability? Fredrik Tolf
2003-06-30 17:55 ` Alan Cox
2003-06-30 21:31 ` Fredrik Tolf
2003-06-30 21:36 ` Alan Cox
2003-07-01 12:15 ` Jesse Pollard
2003-07-01 13:41 ` Timothy Miller
2003-07-01 6:22 ` Oleg Drokin
2003-07-01 11:57 ` Jesse Pollard [this message]
2003-07-01 19:53 ` Helge Hafting
2003-07-02 6:42 ` Paul Rolland
2003-07-03 1:14 ` Jesse Pollard
2003-07-03 1:52 ` H. Peter Anvin
-- strict thread matches above, loose matches on Subject: below --
2003-07-08 23:11 Clayton Weaver
2003-07-09 10:08 ` Svein Ove Aas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03070106574900.01125@tabby \
--to=jesse@cats-chateau.net \
--cc=fredrik@dolda2000.cjb.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox