[JDEV] Possible Denial of Service in mio_ssl.c
Gabriel C Millerd
gmillerd at qualhost.com
Fri Jun 7 03:17:01 CDT 2002
snort has a rule for this sort of kiddie. then you script (or rather use a
canned scort script) a proper response (ala ip chains, bgp, whatever suits
your needs)
On 7 Jun 2002, Martin Lesser wrote:
> The last days we had some trouble with a script-kiddie:
>
> Looks like this kid wrote a script which permanently (at least every
> second) tried to connect to port 5223 of our Jabber-Server (1.4.2)
> without having a real ssl-client at his side.
>
> This caused a huge number of log-entries (after enabling debugging):
>
> mio_ssl.c:238 SSL accepting socket with new session 82aeb48
> mio_ssl.c:256 Error from SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> mio_ssl.c:257 SSL Error in SSL_accept call
>
> After some time this caused our main jabberd to hang - only a restart of
> jabberd after inserting a DROP-Rule for the kiddies IP into our
> iptables-ruleset brought jabberd back into stable working.
>
> At the moment I've no idea how to prevent jabberd of looping endless/too
> soon through mio_ssl in such a case, perhaps the heartbeat-monitor could
> help us here but I don't know how.
>
> Please correct me if you think that there's a possible misconfiguration
> at our side so I can post the relevant parts of our conf-files.
>
> BTW, is there a simple way to see which current user comes from which IP?
> netstat at this point is only partially helpful.
>
> TIA,
>
> Martin
>
> --
> Express-Kommunikation mit Jabber:
> JabberID: martin at jabber.bettercom.de
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
>
---
Gabriel C. Millerd | There is a saying in prize fighting: Everyone has a
Sith Admin | plan until they get hit.
|
More information about the JDev
mailing list