Mailinglist Archive: opensuse-security (320 mails)
| < Previous | Next > |
Re: [suse-security] Snort DOS?
- From: maarten van den Berg <maarten@xxxxxxx>
- Date: Fri, 16 May 2003 23:03:44 +0200
- Message-id: <200305162303.44042.maarten@xxxxxxx>
On Friday 16 May 2003 22:42, Jeff Harris wrote:
> I ran into a situation last week, where my /var partion completely filled
> up. Upon investigation, I realized that /var/log/snort filled 85% of the
> space available on the partition. Having no space left on /var left no
> space for incoming mail and no space for squid cache, and slowed my
> machine to a crawl.
>
> Would it be theoretically possible to launch a herd of port scanners
> against a known host to fill up someone's /var drive and shut them down?
> Or, am I missing something in a logrotate or config setting somewhere?
Theoretically ? Of course. One can -theoretically- even DoS a server just by
creating benign logs, like popping mail every 1/10 seconds, if disk space is
sparse enough...
This is quite normal. However, cron -thus logrotate- runs typically at night
so an 'attacker' has only 24 hours to accomplish this feat. Provided this is
of course, that your logrotate-script monitors the snort files. If not, they
will grow uncontrolled until the disk fills, like in your case.
Maarten
--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
> I ran into a situation last week, where my /var partion completely filled
> up. Upon investigation, I realized that /var/log/snort filled 85% of the
> space available on the partition. Having no space left on /var left no
> space for incoming mail and no space for squid cache, and slowed my
> machine to a crawl.
>
> Would it be theoretically possible to launch a herd of port scanners
> against a known host to fill up someone's /var drive and shut them down?
> Or, am I missing something in a logrotate or config setting somewhere?
Theoretically ? Of course. One can -theoretically- even DoS a server just by
creating benign logs, like popping mail every 1/10 seconds, if disk space is
sparse enough...
This is quite normal. However, cron -thus logrotate- runs typically at night
so an 'attacker' has only 24 hours to accomplish this feat. Provided this is
of course, that your logrotate-script monitors the snort files. If not, they
will grow uncontrolled until the disk fills, like in your case.
Maarten
--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
| < Previous | Next > |