home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Message-Id: <383C28D4.FB9066B4@paulboyer.org> Date: Wed, 24 Nov 1999 19:05:08 +0100 Reply-To: Paul Boyer <Paul.Boyer@PAULBOYER.ORG> From: Paul Boyer <Paul.Boyer@PAULBOYER.ORG> X-To: "A. Steinmetz" <astmail@YAHOO.COM> To: BUGTRAQ@SECURITYFOCUS.COM "A. Steinmetz" wrote: > > To add to Shafik's statement, now all you have to do to is to put a system > under high (log) load for any attack to go possibly unlogged? This leaves > me somewhat sleepless... > While missing some log lines could seem somehow not that risky, since when your loghost get loaded like crazy you're alerted of an attack anyway, I do agree with Shafik because those lines missing might cause not only missing line but a risk of inconsistency. <Linux specific> I could make that trouble happen while testing by overloading the kernel logging facility with a dumb logger ipchains policy looking like : ipchains -I input -l;ipchains -I forward -j REJECT -l;ipchains -I output -j DENY -l and then generating a packet storm to that host. Some (most lines at peak load time) of the log lines were wrapped/jammed due to un overload on the internal kernel log buffer. (BTW, if anyone could tell me how to increase that buffer, I'm still interested) the consequence is "only" some parts of log lines lost, but the real trouble was that log analysis tools behaved badly with inconsistent mostly unusable log data. Hopefully a proper log policy and a reasonably low load on network bandwidth will never overload the kernel mode log buffer (I had to use a pretty heavy load and exhaustive log policy in order to make the problem happen. </Linux specific> The problem here is about missing some of the syslog datagrams. May be there is not such a format inconsistency problem (datagrams lost may not overlap log lines boundaries ?), but missing a log line for a specific event could make some pattern maching tools behave pretty badly in certain cases. More precisely, every pattern of an attack that will be diagnosed differently depending on the existence of one single line will fail if such a problem occurs. Repetitive DoS attack will still be detected properly, but more subtle known attack patterns will not, and yet an original attack pattern could be very difficult to understand and track down. Paul Boyer. > --- Shafik Yaghmour <shafik@ACM.POLY.EDU> wrote: > > So if you have a high system load it is okay to have some of the > > syslog messages lost? Hmm, I dunno, IMHO it is never okay, I mean why > > should you open up the opportunity at all. You know, security based on > > something being "not so prone to failure" doesn't exactly make me feel > > warm and cozy. The weather in Paris is pretty cold, too ;-)
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |