On Mon, Feb 26, 2001 at 04:39:58PM -0500, Jose Nazario wrote:
> this can be stemmed in a number of ways:
>
> 1] using inetd, rate limit the connections. change a line like
>
> telnet stream tcp nowait root /usr/libexec/telnetd telnetd
>
> to
>
> telnet stream tcp nowait.1 root /usr/libexec/telnetd telnetd
>
> this will maximize the number of connections per minute on that service:
>
> (from an inetd manpage on OpenBSD 2.8)
Actually, that was implemented in NetBSD. But regardless, it's not
sufficient. All that does is adjust the threshold at which inetd
decides the server is `looping' and disables it. Setting it to 1, for
example, just makes the problem *much* worse. Setting it to, e.g.,
1000000 will effectively disable the hack, and is a reasonable
workaround if your machine can deal.
The real answer is to implement proper rate-limiting instead. A bonus
would be to implement it in a library (say, libwrap) that standalone
and `wait' services can also use.
