1 2This is a brief note on security aspects of the DICT server: 3 4* Searches that return the whole index 5 Description: 6 Some searches, such as "MATCH * re ." will return the whole 7 database index, and this index must be buffered by the server. Each 8 server instance can therefore be using 4-5MB for a typical 9 installation. This can result in significant resource utilization 10 on the server machine, swapping, and possible DoS. 11 12 Solutions: 13 * limit connections 14 * limit amount of data returned 15 * limit simultaneous outstanding searches (e.g., "increment a lock 16 (eg, create a link to a file) every time you start searching for 17 a definition, and decrement it (eg unlink) when the results have 18 been looked up, if the number (eg link count) exceeds n, sleep a 19 while before looking it up.") 20 21* Denial of service by idling clients 22 Description: 23 An adversary can connect to the server multiple times (until the 24 server limit is reached) and thereby deny other clients access to 25 the server. 26 Solutions: 27 * limit connections based on IP or mask 28 29* Enhance access control, like hosts_access(5) in TCP Wrappers. 30 * NIS/YP 31 * IP/mask 32 * "paranoid" checks for reverse DNS 33 34* Buffer overflow 35 * Robustify logging routines (e.g., daemon_log and use of strlen) 36 37