Date: Mon, 22 Nov 1999 22:23:19 +0100 From: Balazs Scheidler <bazsi@BALABIT.HU> Subject: Re: DoS with sysklogd, glibc (Caldera) To: BUGTRAQ@SECURITYFOCUS.COM --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable >=20 > 1. Problem Description >=20 > On Linux, most services do not log informational or error messages > to their own files, but use the system log daemon, syslogd, for this. >=20 > Unfortunately, the current syslogd has a problem by which any > user on the local host can mount a denial of service attack that > effectively stops all logging. Since all programs that want to send > logging information to syslogd block until they're able to establish > a connection to syslogd, this will make programs such as login, su, > sendmail, telnetd, etc hang indefinitely. This fix (and all the fixes released by distributions in the last couple of days) switches to using SOCK_DGRAM style sockets from using SOCK_STREAM ones, which may not be the best solution. It can result in arbitrarily dropped messages. I think using a limit on incoming connections, rejecting a connection if the limit is reached, and logging such rejected attempts would be better, since the system administrator is notified about the event. The next version of syslog-ng will contain the latter option. (The first solution is already supported, since it contains a unix-dgram driver): To use the fix issued by distributors (e.g. switching to unix-dgram) with syslog-ng, change your source statement: from: source src { unix-stream("/dev/log"); }; to: source src{ unix-dgram("/dev/log"); }; of course you'll need to apply your local changes. --=20 Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt --DocE+STaALJfprDB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQEVAwUBODm0RsGXIGCa+NCpAQHoQwf/ehRBAV8Nh/i55RRS4H2lbTw4rnN6ywU7 7jY1+cKCr+Sxh088LlsjtU0KV+m0sEwpncNPb2x369dYnZR5BKID5wUyB26leT1T zvhjJd1UMydmstHo65ff84EvSb89p6EbXyIA0PQ0wUFAReptyRco2c6GIQ8h0y9I lg/EE8YcPfGVpUUKYxRbpNVfWVrcEPWLcauIqvXq7vPv8bAmQY8G2t2eoT7FzBrQ jFN8e9pfVAfy8iYopz1xVIpp+iEC1NkGcMFGNxPni+U7oD56u0PXb/ZHIANqFZQC 8YLwae1AMHXrHOBpNrYC+XvyMKRFUiZPUSj7gRWrSSLZD8RbTmXyIQ== =rfmX -----END PGP SIGNATURE----- --DocE+STaALJfprDB--