Notes/Domino Fix List
SPR # JFOR5BNGUMFixed in 5.0.13 releaseSecurity fix



Product Area: Server Technical Area: Networking & Dialup Platform: Cross Platform

SPR# JFOR5BNGUM - This fix provides the Administrator with two notes.ini variables to stop a denial of service attack on the network under certain circumstances. See technote #1105201 for complete details.

Technote Number: 1105201

Problem:
This issue has been reported to Lotus software Quality Engineering. Beginning
in Domino 6.0.1, when the administrator detects this problem occurring, he can
set one of two NOTES.INI parameters to stop accepting connections from specific
IP addresses. For the R5 codestream, the addition of these INI parameters was
done in Domino 5.0.13.

The parameters are as follows:

<Name>AllowAddresses = addresses
<Name>DenyAddresses = addresses

The value you use for <Name> is as follows:

For NRPC connections, use Server, so the parameter reads ServerAllowAddresses
or ServerDenyAddresses.
For Internet service framework listeners (not the Web server), use the name of
the Internet service, such as POP3AllowAddresses.

The value for addresses is a comma-separated list of IP addresses. Addresses
can contain the asterisk as a wildcard for each part of the address. For
example:

ServerAllowAddresses = 10.0.0.1, 10.0.*.2
POP3DenyAddresses = 10.0.0.1, 10.*.*.*

The first time such a NOTES.INI parameter is added to NOTES.INI the change is
dynamic; that is, the server need not be restarted. If an additional change is
made, the server must be restarted for this to take effect.

To find the IP address or addresses that the administrator wants to block, the
administrator can use one of two methods:

1. On the server which you believe is under attack, enter the following console
command:

"show port tcpip"
where the name of your TCP port is tcpip.

This command lists all the current connections. If you see that there are many
connections from a single IP address, that is probably the culprit.

2. The administrator can use a platform-specific tool such as NETSTAT to list
all the active TCPIP connections and again look for a single IP address that is
making the majority of the connections.

Without this NOTES.INI setting, for each TCPIP connection made, either a new
thread is allocated/dispatched (for Internet servers) or a new session is
created (for NRPC server). That new thread or session must now get context
switched in, initialized, perform its read, detect that the connection has
broken, and then dissolve itself. The cost to do this for a constant thousands
and thousands of connections causes the single thread that accepts connections
to get ahead of the many many threads that are trying to destroy them. So, we
run out of virtual memory.

The change made in Domino 6.0.1 is a simple check for a NOTES.INI variable
right at the point that a new connection has arrived in the single listening
thread. If the patterns match, the connection is dropped before a new thread or
session is even created. Since it's the single listening thread that is also
dropping the bad connections it can never get behind. So when the attack
occurs, CPU use can rise but not dangerously so and memory use is not affected
at all.

Excerpt from the Lotus Notes and Domino Release 5.0.13 / 5.0.13a MR fix list
(available at http://www.ibm.com/developerworks/lotus):
SPR# JFOR5BNGUM - This fix provides the Administrator with two notes.ini
variables to stop a denial of service attack on the network under certain
circumstances. See technote #1105201 for complete details.
More >



Last Modified on 05/18/2007

Go back