About | Buy Stuff | News | Products | Rants | Search | Security | Social
Home » News » Roundups

Multiple DoS attacks against AnalogX Proxy 4.12

September 26, 2002 6:54AM UTC

Multiple denial of service attacks exist against AnalogX Proxy 4.12 and probably all earlier versions.

AnalogX Proxy is a simple to configure proxy server capable of offering proxies for Web (port 6588), SMTP (port 25), POP3 (port 110), FTP (port 21), NNTP (port 119) and SOCKS (port 1080). All services are enabled by default and all are bound to Internet accessible interfaces, although the addition of a warning message was made in this latest version informing the user of this fact.

Problems arise when the proxy is asked to connect back to ports on the same proxy server. This is most readily achieved by telling it to connect to the loopback address of 127.0.0.1.

Using the different proxy services available we can issue many kinds of loopback connections each with differing damaging effects ranging from CPU, memory and resource exhaustion.


Using the web proxy (TCP port 6588), issue a HTTP request of 'GET 127.0.0.1:6588\r\n\r\n' to port 6588. This achieves a connection back to the same web proxy port.

Keeping the connection open and sending this request at a rate of 1 every 15 seconds we see:

CPU70%
Handles+700/sec
Memory+4MB/sec
Threads+100/sec

When the attack ceases the application often never fully recovers with the CPU remaining around 70% and threads fluctuating between 10-14. Sustained attacking will cause total system resource starvation.


Again, using the web proxy port, we now issue a request to the SMTP proxy using the command 'GET 127.0.0.1:25\r\n\r\n' sent to TCP port 6588.

Keeping the connection open and sending this request at a rate of 1 every second we see:

CPUStable
Handles+2/sec
Memory+68KB/sec
Threads+12/sec

Resources are never regained when this attack ceases. Sustained attacking will cause total system resource starvation.


Once more using the web proxy port, we now issue a request to the FTP proxy using the command 'GET 127.0.0.1:21\r\n\r\n' sent to TCP port 6588.

Keeping the connection open and sending this request at a rate of 1 every second we see:

CPUStable
Handles+2/sec
Memory+32KB/sec
Threads+12/sec

Resources are never regained when this attack ceases. Sustained attacking will cause total system resource starvation.


Now using the FTP proxy port we issue the command 'OPEN test@127.0.0.1' to port 21.

Keeping the connection open and waiting for responses to each request, sending this request at a rate of 1 every second we see:

CPU50-60%
Handles+8/sec
Memory+8KB/sec
Threads+1/sec

All resources and CPU recover when the attack ceases but sustained attacking will cause total system resource starvation.


Lastly using the SOCKS proxy we issue the command '\x04\x01\x04\x38\x7f\x00\x00\x01abcd\x00' to the SOCKS port of 1080. This is a SOCKS CONNECT request to port 1080 on 127.0.0.1.

Keeping the connection open and sending this request at a rate of 1 every second we see:

CPUStable
Handles+1/sec
Memory+12KB/sec
Threads+10/sec

All resources and CPU recover when the attack ceases but sustained attacking will cause total system resource starvation.


It is conceivable that other misconfigured proxy servers suffer from similar loopback connection problems.

Related Articles
Spotlight: File Scanners
The AnalogX Phenomenon
Anal spinback out of control

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.