[12698] in bugtraq

home help back first fref pref prev next nref lref last post

Re: DoS with sysklogd, glibc (Caldera)

daemon@ATHENA.MIT.EDU (Balazs Scheidler)
Tue Nov 23 13:57:50 1999

Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
              protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB"
Message-Id:  <19991122222319.C26816@balabit.hu>
Date:         Mon, 22 Nov 1999 22:23:19 +0100
Reply-To: Balazs Scheidler <bazsi@BALABIT.HU>
From: Balazs Scheidler <bazsi@BALABIT.HU>
X-To:         Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.GSO.4.10.9911220906250.11753-100000@www.securityfocus.com>;
              from ah@SECURITYFOCUS.COM on Mon, Nov 22, 1999 at 09:08:08AM -0800

--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

>=20
> 1. Problem Description
>=20
>    On Linux, most services do not log informational or error messages
>    to their own files, but use the system log daemon, syslogd, for this.
>=20
>    Unfortunately, the current syslogd has a problem by which any
>    user on the local host can mount a denial of service attack that
>    effectively stops all logging. Since all programs that want to send
>    logging information to syslogd block until they're able to establish
>    a connection to syslogd, this will make programs such as login, su,
>    sendmail, telnetd, etc hang indefinitely.

This fix (and all the fixes released by distributions in the last couple of
days) switches to using SOCK_DGRAM style sockets from using SOCK_STREAM
ones, which may not be the best solution. It can result in arbitrarily
dropped messages.

I think using a limit on incoming connections, rejecting a connection if the
limit is reached, and logging such rejected attempts would be better, since
the system administrator is notified about the event.

The next version of syslog-ng will contain the latter option. (The first
solution is already supported, since it contains a unix-dgram driver):

To use the fix issued by distributors (e.g. switching to unix-dgram) with
syslog-ng, change your source statement:

from: source src { unix-stream("/dev/log"); };
to: source src{ unix-dgram("/dev/log"); };

of course you'll need to apply your local changes.

--=20
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt

--DocE+STaALJfprDB
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQEVAwUBODm0RsGXIGCa+NCpAQHoQwf/ehRBAV8Nh/i55RRS4H2lbTw4rnN6ywU7
7jY1+cKCr+Sxh088LlsjtU0KV+m0sEwpncNPb2x369dYnZR5BKID5wUyB26leT1T
zvhjJd1UMydmstHo65ff84EvSb89p6EbXyIA0PQ0wUFAReptyRco2c6GIQ8h0y9I
lg/EE8YcPfGVpUUKYxRbpNVfWVrcEPWLcauIqvXq7vPv8bAmQY8G2t2eoT7FzBrQ
jFN8e9pfVAfy8iYopz1xVIpp+iEC1NkGcMFGNxPni+U7oD56u0PXb/ZHIANqFZQC
8YLwae1AMHXrHOBpNrYC+XvyMKRFUiZPUSj7gRWrSSLZD8RbTmXyIQ==
=rfmX
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--

home help back first fref pref prev next nref lref last post