[1048] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)

daemon@ATHENA.MIT.EDU (Sam Quigley)
Thu Aug 22 07:12:14 1996

Date: Wed, 21 Aug 1996 14:28:53 -0700 (PDT)
From: Sam Quigley <poodge@econ.Berkeley.EDU>
To: Louis Mandelstam <louis@sacc.org.za>
cc: "Paul D. Robertson" <proberts@clark.net>,
        Jonathan Larmour <JLarmour@origin-at.co.uk>,
        Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.94.960820162538.280K-100000@lh1.sacc.org.za>



On Tue, 20 Aug 1996, Louis Mandelstam wrote:

> I don't know - apart from remote connections (which we can limit to some
> extent) what practical ways would there be for an attacker to really flood
> syslog?
> 
> [REW: Trivial. Find anything that gets logged and repeat that.]

But surely a clever syslog would respond to this sort of repeated log by 
saying something like:

Syslog: Last message repeats x times.

Each syslog entry needs to be unique, and there need to be a whole lot of 
them.  I don't immediately see how an attacker could flood syslog with 
unique messages without leaving evidence of how those messages were sent.

(I am willing to concede that it's possible -- I'm just curious as to 
how.  In any case, a clever syslog like this isn't a great solution: 
there needs to be some way to prevent this kind of attack altogether.)

[REW: Just make sure that there are two different messages that you
alternate. (for example by alternating telnet and rsh requests.) Or
find a deamon that logs two different lines. (e.g. rsh as root, which
gives you a tcpd line and a rsh line). Or find a deamon that puts a
unique identifier (pid) in the log (e.g. sendmail). ]

-sq

home help back first fref pref prev next nref lref last post