Hello Rob,
Am 18.11.2019 um 16:37 schrieb Rob Berendt <rob@xxxxxxxxx>:
In your opinion could I use this
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaiw/rzaiwdevinit.htm
to stop this DOS attack?
No. Registering a hook/exit program which gets called *after* session startup creates additional load on the server.
The only workaround I could think of would be to place a (linux) box with a TCP proxy (like xinetd) logically between the i and the clients. Xinetd knows about some limits to place on allowed connections.
Clients connect to the linux box instead directly to the i. Since IBM client access solutions software utilizes not just telnet but also other ports, you need to define multiple TCP forwards.
Example: (I hope formatting stays intact).
service mvs-telnet
{
id = mvs-telnet
type = UNLISTED
disable = no
wait = no
protocol = tcp
user = nobody
group = nogroup
only_from = 192.168.59.0/24
log_type = syslog daemon info
log_on_success = HOST DURATION TRAFFIC
bind = 192.168.59.93
port = 23
redirect = 127.0.0.1 3270
}
From the man page xinetd.conf: (I hope formatting stays intact).
per_source Takes an integer or "UNLIMITED" as an argument. This
specifies the maximum instances of this service per
source IP address. This can also be specified in the
defaults section.
cps Limits the rate of incoming connections. Takes two
arguments. The first argument is the number of con‐
nections per second to handle. If the rate of incom‐
ing connections is higher than this, the service will
be temporarily disabled. The second argument is the
number of seconds to wait before re-enabling the ser‐
vice after it has been disabled. The default for this
setting is 50 incoming connections and the interval is
10 seconds.
max_load Takes a floating point value as the load at which the
service will stop accepting connections. For example:
2 or 2.5. The service will stop accepting connections
at this load. This is the one minute load average.
This is an OS dependent feature, and currently only
Linux, Solaris, and FreeBSD are supported for this.
This feature is only available if xinetd was config‐
ured with the -with-loadavg option.
rlimit_as Sets the Address Space resource limit for the service.
One parameter is required, which is either a positive
integer representing the number of bytes to set the
limit to (K or M may be used to specify kilo‐
bytes/megabytes) or "UNLIMITED". Due to the way
Linux's libc malloc is implemented, it is more useful
to set this limit than rlimit_data, rlimit_rss and
rlimit_stack. This resource limit is only implemented
on Linux systems.
rlimit_cpu Sets the maximum number of CPU seconds that the ser‐
vice may use. One parameter is required, which is
either a positive integer representing the number of
CPU seconds limit to, or "UNLIMITED".
rlimit_data Sets the maximum data size resource limit for the ser‐
vice. One parameter is required, which is either a
positive integer representing the number of bytes or
"UNLIMITED".
rlimit_rss Sets the maximum resident set size limit for the ser‐
vice. Setting this value low will make the process a
likely candidate for swapping out to disk when memory
is low. One parameter is required, which is either a
positive integer representing the number of bytes or
"UNLIMITED".
rlimit_stack Set the maximum stack size limit for the service. One
parameter is required, which is either a positive
integer representing the number of bytes or "UNLIM‐
ITED".
I didn't use any of these parameters, since I don't need to rate-limit connections but expose Port 23 for a very old implementation of tn3270 for the Macintosh which doesn't allow to connect to other ports than 23.
On a side note, I'm suprised how easy it seems to be to bring the biggest hardware to it's knees by just doing TCP connects and negotiate telnet.
:wq! PoC
PGP-Key: DDD3 4ABF 6413 38DE -
https://www.pocnet.net/poc-key.asc
midrange.com
