Vulnerability Development mailing list archives
Re: Possible syslogd DoS ?
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Thu, 4 Oct 2001 16:10:54 +0200 (MET DST)
On Wed, 3 Oct 2001, Petr Baudis wrote:
I just recently came on a thought (thanks to Marek Jaros) of possible DoS of syslogd. It uses /dev/log for receiving log messages, which has mode 0666 on most linuxes. It should be ok, as many non-root applications should be allowed to log things etc. But imagine that you will send a lot of very long messages there, different everytime in order not to get stripped into kinda 'message repeated x times'. In this way, you can imho flood syslogd successfully, possibly filling whole partition where /var/log resides, regardless to your quota settings on the machine!
Old news. This has been known for a long time. Some (partial) solutions proposed so far are: 1. limit access to the socket to selected subjects (e.g. chgrp sysloggers /dev/log; chmod o= /dev/log, and run all daemons with (supplementary) gid sysloggers) 2. implement a method allowing syslogd to identify a subject sending messages and... 2a. make syslogd record that information (making syslog spamming accountable and punishable) 2b. implement some kind of quotas in syslogd using this information 3. get rid of a centralized logging facility completely (e.g. DJB's daemontools) Of course, each of them has its advantages and disadvantages. No 1. is rather easy but it does not really solve the problem. No 3. eliminates the problems of centralized logging...as long as you sacrifice its benefits. No 2. appears to be the most promising but its implementation would be difficult (esp. without some kernel support). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: Possible syslogd DoS ?, (continued)
- Re: Possible syslogd DoS ? Crist J. Clark (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- Re: Possible syslogd DoS ? H D Moore (Oct 05)
- Re: Possible syslogd DoS ? Tim Walberg (Oct 05)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- AnalogX Proxy SMTP server relay Claymore (Oct 05)
- Re: AnalogX Proxy SMTP server relay Joe Stewart (Oct 06)
- Re: Possible syslogd DoS ? Robert van der Meulen (Oct 04)
- Re: Possible syslogd DoS ? White Vampire (Oct 04)
- Re: Possible syslogd DoS ? Pavel Kankovsky (Oct 07)
- Re: Possible syslogd DoS ? Thiago Conde Figueiro (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 04)