OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: DoS with sysklogd, glibc (Caldera)

Re: DoS with sysklogd, glibc (Caldera)

Balazs Scheidler (bazsiBALABIT.HU)
Mon, 22 Nov 1999 22:23:19 +0100

>
> 1. Problem Description
>
> On Linux, most services do not log informational or error messages
> to their own files, but use the system log daemon, syslogd, for this.
>
> Unfortunately, the current syslogd has a problem by which any
> user on the local host can mount a denial of service attack that
> effectively stops all logging. Since all programs that want to send
> logging information to syslogd block until they're able to establish
> a connection to syslogd, this will make programs such as login, su,
> sendmail, telnetd, etc hang indefinitely.

This fix (and all the fixes released by distributions in the last couple of
days) switches to using SOCK_DGRAM style sockets from using SOCK_STREAM
ones, which may not be the best solution. It can result in arbitrarily
dropped messages.

I think using a limit on incoming connections, rejecting a connection if the
limit is reached, and logging such rejected attempts would be better, since
the system administrator is notified about the event.

The next version of syslog-ng will contain the latter option. (The first
solution is already supported, since it contains a unix-dgram driver):

To use the fix issued by distributors (e.g. switching to unix-dgram) with
syslog-ng, change your source statement:

from: source src { unix-stream("/dev/log"); };
to: source src{ unix-dgram("/dev/log"); };

of course you'll need to apply your local changes. 

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt





    

  • application/pgp-signature attachment: stored

This archive was generated by hypermail 2.0b3 on Tue Nov 23 1999 - 13:41:15 CST