[638] in linux-security and linux-alert archive
[linux-security] Summary re: syslogd spam
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Mar 20 15:31:55 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 19 Mar 1996 21:36:02 +0100
From: Olaf Kirch <okir@monad.swb.de>
There have been quite a number of responses regarding John Betts' message,
which I summarize below.
Olaf
-------------------
From: jacob@esisys.com (Jacob Langseth)
syslogd listens on UDP port 516, and will log what it receives to the
system logs.
[mod: It's port 514 anyway --okir]
This can be useful -- it allows one to designate a single secure host
to handle all system logging for a network, drastically reducing
administrative overhead etc, but is definitely unwanted in the case of
a stand-alone host.
I know of no way to disable it short of filtering it at the network
level -- you could either set the router for your network to drop
incoming UDP packets destined for port 516, or enable the firewalling
code in the linux kernel and have a rule like:
ipfw add blocking reject udp from 0/0 to $me 516
>0:06:02.664395 rbit.co.za.echo > www.iuma.com.echo: udp 186
>10:06:02.732615 www.iuma.com.echo > rbit.co.za.echo: udp 186
>10:06:02.733221 rbit.co.za.echo > www.iuma.com.echo: udp 186
This is a UDP storm. A UDP packet was forged from www.iuma.com
and sent to your echo service, which echoed the packet back to
_their_ echo service, creating an infinite loop and sucking
bandwidth from all networks involved.
The solution is to turn off your echo service -- comment it out
from /etc/inetd.conf and kill -HUP inetd.
In general, if a service isn't needed it will only cause problems.
Comment out all services that you do not want to specifically
provide, definitely including systat, netstat, and echo.
-------------------
From: iialan@iifeak.swan.ac.uk (Alan Cox)
Someone is spamming your machine. FInd out who is the provider to iuma.com
and complain. If that doesnt work threaten to file a lawsuit
-------------------
From: halflife <halflife@tcpip.geek.net>
These look like 2 distinct and seperate attacks.
The former will be covered first. syslogd listens on a udp port for
messages (you can direct all your syslogs to point to a single logging
host, this is the primary reason it does this). Since it is udp, there is
no authentication, so all someone has to do is be able to program just
enough to forge ip/udp headers, and they can scribble on your syslog with
any ip source address. There is not much that can be done to fix this,
you could block the syslog port at your router, I suppose. You could also
recompile syslogd to not support udp, which is probably the best solution
if you dont have anything that requires udp services.
The later attack looks to be a echo bounce attack. This involves sending
a udp packet with the src and dst ports both set to the echo port. Since
when the echo daemon gets a packet, it returns it to the src host at the
src port, which does the same, etc creating a loop until the packet is
dropped. This one is simple, just disable the internal services. There is
a cert advisory about this sort of thing.
Both of these are denial of services attacks, and are of no real
importance. Since they are using UDP, there is no (easy) way to track
down the actual people who are doing this (theres a very good chance that
the echo attack is using fakes source addresses as well).
Let me know if I can be of any further assistance.
--------------------
From: Chander Ganesan <C@Asu.Edu>
Have you tried disabling your 'echo' service in '/etc/inetd.conf' ?
-------------------
From: TWC <twc@ns.calyx.com>
Sure, recompile syslogd w/o SYSLOG_INET defined. It should probably be this
way by default..
-------------------
From: do i type my name here?? <ace@escape.com>
Seems to me like someone is running an ip spoofer on you. There is a
program called sysfog.c, this is a syslogd writer. Well I took this
program and made some changes to it and my kernel of course and now
it allows me to do exactly what is happending to you. A few other
people made their own programs and gave them out. The only thing you
can probably do is upgrade your syslogd. I havn't done so, so I
wouldn't know where to start. Hope this helps
-------------- End of summary ------------------
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
