Browse Prior Art Database

Method for IP firewall to detect and prevent Denial of Service attack on rsh connections

IP.com Disclosure Number: IPCOM000020457D
Original Publication Date: 2003-Nov-21
Included in the Prior Art Database: 2003-Nov-21
Document File: 2 page(s) / 38K

Publishing Venue

IBM

Abstract

Disclosed is a method for performing state based rsh connection set up monitoring in IP firewall, for both stdin/stdout and stderr connections, which will filter out connection initiation from third party for the stderr connection. This is to prevent Denial of Service attacks on rsh connections.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Method for IP firewall to detect and prevent Denial of Service attack on rsh connections

Disclosed is a method for performing state based rsh connection set up monitoring in IP firewall, for both stdin/stdout and stderr connections, which will filter out connection initiation from third party for the stderr connection. This is to prevent Denial of Service attacks on rsh connections.

The way rsh works is, it opens up two socket connections with the remote rsh server, one for stdin/stdout and the other for stderr. It uses reserved ports (less than 1024, that only super user can bind to, on *UNIX systems) for its connections. Here is how rsh operates: a) open a stdin/stdout connection with remote

b) open a new socket and bind to a reserved port for stderr connection.

c) listen() for connection on stderr socket

d) send this port number as a ascii string (data) to the remote over the stdout connection

e) accept() - wait for the remote to connect for stderr connection

f) check the peer's port number of the new connection that accept() returns.

If it is not a reserved port, terminate all connections (stdout/stdin and stderr) and fail the rsh command. g) Otherwise proceed and send the user command to the peer to execute on the remote machine.

Step (f) has the potential to be exploited for a denial of service attack. An attacker (a third system) can make rsh fail, if it can initiate a connection before the remote end. All it has to do is, try connecting to ports from 1023, downwards till 512 and use a non-reserved port for its end. If it happens to hit the port that rsh is waiting on, then rsh command will fail. If the attacker uses a reserved port for its end, the rsh client will end up having a stderr connection not with the intended remote machine, but with a third party. This solves the problem by making IP firewall do a state based rsh connection monitoring, to detect and prevent misuse.

The solution is a state based rsh connection set up monitoring, in I...