[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-nfs
Subject:    [NFS] Denial of service against rpc.mountd
From:       "Patrick J. LoPresti" <patl () curl ! com>
Date:       2001-05-31 22:13:00
[Download RAW message or body]

We are using nfs-utils 0.3.1 (from the RedHat 6.2 updates collection).

One of our developers wrote a "socket test" which attempts to open
massive numbers of TCP connections to a port on another machine.  By
accident, he pointed this test at the listening port for rpc.mountd on
one of our file servers.

The rpc.mountd process immediately began logging failures about being
unable to access /var/lib/nfs/* because of "too many open files".
lsof confirmed that around 1000 file descriptors were consumed by TCP
connections.  So this appears to be a simple and nasty DoS attack.

It gets worse.  Even when the offending process on the "attacking"
machine was terminated (so that the machine thought the connections
were closed), the sockets remained open in rpc.mountd on the server.
Rebooting the attacking machine did not help; I had to restart mountd
to make it close the sockets.

This might actually be two bugs.  First, mountd should probably limit
the number of simultaneous open TCP connections (perhaps by source
address?), lest it run out of file descriptors for performing other
tasks.  Second, it looks like mountd is leaking file descriptors, at
least when hit with massive numbers of incoming TCP connections.

If this is not enough information to reproduce the problem, let me
know.

 - Pat

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/nfs

[prev in list] [next in list] [prev in thread] [next in thread]