Dear *inetd maintainers, at the moment, if someone sends a spoofed UDP datagram with
src:HOSTA:7 dst:HOSTB:7 as in: packit -t UDP -s HOSTA -S 7 -d HOSTB -D 7 -p test That is with HOSTA source address spoofed and 7 (echo) as both the source and destination port and if both HOSTA and HOSTB have that service enabled (OK. that's the least likely part). Then upon receiving that packet, HOSTB will send the same packet reversed to HOSTA and we'll start a ping-pong game that will only stop when someone drops the ball (tested on Debian with inetutils-inetd and openbsd-inetd, not xinetd but I assume it's the same). It's even worse when that initial packet is a broadcast packet. As a hardening feature, would it make sense for the "echo" service not to answer requests if they come with identical source and destination port? Maybe worth adding a note in the manual that the echo UDP service can be used in various attacks as well. What do you think? Stephane
