Hi again, Dale,
I forgot to say that you don't need to fear releasing your exploit. I
developped its equivalent 4 years ago to stress-test web servers and
proxies, and if I launch it against victim:23, I get the exact same
result within seconds : a CLOSE_WAIT socket :
attacker> ./connectdata 10.0.3.2 23 200 1
ERROR: connect()=-1, nbconn=134 : Connection refused
ERROR: connect()=-1, nbconn=135 : Connection refused
ERROR: connect()=-1, nbconn=136 : Connection refused
ERROR: connect()=-1, nbconn=137 : Connection refused
The program connects 200 sockets to the same IP:port, and sends the begining
of an HTTP request.
victim> sudo netstat -atnp|grep -v LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 17 0 10.0.3.2:23 10.0.3.1:38214 CLOSE_WAIT
It's even not necessary to send data, then even faster to block my very old
attacker> ./connectdata-nb 10.0.3.2 23 200
200 connections established.
Press any key so exit.
This time, it sends 200 non-blocking connect() calls without any data. It
takes a fraction of a second with the same result. Hopefully, it'll will
help Peter and you reproduce the problem faster on mysql.
Both programs have been freely available here for two years ; I didn't think
they would be useful again !