Re: Possible syslogd DoS ?

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Wed, 3 Oct 2001, Petr Baudis wrote:

>   I just recently came on a thought (thanks to Marek Jaros) of possible
> DoS of syslogd. It uses /dev/log for receiving log messages, which has
> mode 0666 on most linuxes. It should be ok, as many non-root applications
> should be allowed to log things etc.
>   But imagine that you will send a lot of very long messages there, different
> everytime in order not to get stripped into kinda 'message repeated x times'.
> In this way, you can imho flood syslogd successfully, possibly filling whole
> partition where /var/log resides, regardless to your quota settings on
> the machine!

Old news. This has been known for a long time. Some (partial) solutions
proposed so far are:

1. limit access to the socket to selected subjects (e.g.
   chgrp sysloggers /dev/log; chmod o= /dev/log, and run all daemons
   with (supplementary) gid sysloggers)

2. implement a method allowing syslogd to identify a subject sending
   messages and...
   2a. make syslogd record that information (making syslog
       spamming accountable and punishable)
   2b. implement some kind of quotas in syslogd using
       this information

3. get rid of a centralized logging facility completely (e.g. DJB's
   daemontools)

Of course, each of them has its advantages and disadvantages. No 1. is
rather easy but it does not really solve the problem. No 3. eliminates the
problems of centralized logging...as long as you sacrifice its benefits.
No 2. appears to be the most promising but its implementation would be
difficult (esp. without some kernel support).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."