Network security on AmigaOS with MiamiDx or any other stack

[Piru]

Just take care that you don't use (mount) the AWNPIPE and you're safe.

APIPE: has similar problem, so take care you don't mount either AWNPIPE or APIPE:.

[Piru]

MiamiDx's flood protection kicks in, but is surpassed.

ping flood protection is pretty much useless, as the packets get processed until they enter the filter part. It takes considerable resources to process the packets before they "flow down" to part where the filtering is made. Enough fragmented packets with packet reassembly, and the rate of packet I/O, packet reassembly and filtering will consume all CPU time and internal buffer memory.

Also, if you are unlucky enough to piss up some scriptkiddie with a botnet, you could be in real trouble. With his flood the incoming traffic will be so enormous that it will prevent any other legit traffic from reaching the system anyway, and all incoming traffic will stop (including TCP streams, that will disconnect if the flood stays persistent). Usually this is caused by DDOS attack using a botnet (network of hundreds to thousands of hacked zombie windows machines controlled by the scriptkiddie).

Only way to stop such flood is to have 100mbit pipe to internet and serious networking hardware filtering the traffic at that point, or by having your ISP block the flood earlier.

[Piru]

Is AmiTCP (the version geekgadgets distributes) still updated and fixed?

Free version of AmiTCP is not updated, and never really was.

Even latest commercial AmiTCP included with AmigaOS 3.9 has some grave issues:

- TCP ISN generator is a simple 64k ruler. It is child's play to predict. (spoofing TCP connections)

- ftpd 1.2 (Oct  3 1994) has a crash bug in STAT command:

What happen is that ftpd STAT command blindly assume fopen() succeed, that is, it doesn't check against NULL result from the call. If NULL is returned ftpd will happily peek & poke zeropage, eventually causing trashing of execbase pointer (absolute address 4). This problem is exploitable as anonymous user.

I won't provide an example on this public forum, for obvious reasons.

[Piru]

@tormedhammaren

The ping flood protection sends all packets to NIL: ?

Yes. Well, not literally NIL:, the packets are just discarded. But those packets still need to pass thru SANA2 driver and IP level before they can be detected and dropped. This code pathway is quite long so it can cause problems, at least with slower systems.

The problem is that the Amiga features much less processing power compared to more modern system. So you can easily DOS it from just one host if bought sides have high bandwidth.

Right. With modern hardware simple pingflood is not going to take the system down, instead all the bandwidth need to be consumed (usually with DDoS).

Can scriptkiddies get that strong? Hope there aren't to many of those..

They are that strong already. Some years ago there was problem with kiddies crashing irc servers and/or causing netsplits and then riding the split to perform channel takeovers. Some very large websites have been taken down, even most DNS root servers simultanously.

In fact, some of the modern viruses turn the Windoze boxes into these zombies, part of the botnet. Another common way is to send out trojan via email that patch the system and add it as node to such network.

There is some speculation that these viruses would in fact be spread by spammers to generate large networks to send out spam email and to DDoS antispam services. At least three large AS services have already been  shut down due to enduring DDoS attacks.
 
Another wild theory is that these viruses are in fact made by NSA to test large scale electronic warfare. It would be of interest to USA since they're most vulnerable for such attack, if ever performed as an act of war or terrorism. The date triggered self destruct of the viruses backs up this theory somewhat, since this way the effect of the virus is limited.

This means that you can make a system belive that you are a trusted host. This is what Mitnick did to break into Sutomu Shimomura's machine.

Right. Mitnick used this method to spoof trusted LAN host and used rsh service to execute a command to inject "+ +" to root's .rhosts file. This way, all hosts could rlogin as root or execute remote commands as root. There is a description of the hack on usenet by Tsutomu Shimomura.

In which products is this ftpd used?

To my knowlegle all AmiTCP/IP versions available (that include the ftpd).

Is there a fix?

No fix is available. However, you can disable anonymous access to limit the threat to trusted users only.

I would still recommended you use some other ftpd instead.