Bugtraq mailing list archives
Re: DoS with sysklogd, glibc (Caldera)
From: bazsi () BALABIT HU (Balazs Scheidler)
Date: Mon, 22 Nov 1999 22:23:19 +0100
1. Problem Description On Linux, most services do not log informational or error messages to their own files, but use the system log daemon, syslogd, for this. Unfortunately, the current syslogd has a problem by which any user on the local host can mount a denial of service attack that effectively stops all logging. Since all programs that want to send logging information to syslogd block until they're able to establish a connection to syslogd, this will make programs such as login, su, sendmail, telnetd, etc hang indefinitely.
This fix (and all the fixes released by distributions in the last couple of days) switches to using SOCK_DGRAM style sockets from using SOCK_STREAM ones, which may not be the best solution. It can result in arbitrarily dropped messages. I think using a limit on incoming connections, rejecting a connection if the limit is reached, and logging such rejected attempts would be better, since the system administrator is notified about the event. The next version of syslog-ng will contain the latter option. (The first solution is already supported, since it contains a unix-dgram driver): To use the fix issued by distributors (e.g. switching to unix-dgram) with syslog-ng, change your source statement: from: source src { unix-stream("/dev/log"); }; to: source src{ unix-dgram("/dev/log"); }; of course you'll need to apply your local changes. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt <!-- attachment="bin0a30624" --> <HR> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Oracle 8 root exploit, (continued)
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 18)