On Friday 16 May 2003 22:42, Jeff Harris wrote:
I ran into a situation last week, where my /var partion completely filled up. Upon investigation, I realized that /var/log/snort filled 85% of the space available on the partition. Having no space left on /var left no space for incoming mail and no space for squid cache, and slowed my machine to a crawl.
Would it be theoretically possible to launch a herd of port scanners against a known host to fill up someone's /var drive and shut them down? Or, am I missing something in a logrotate or config setting somewhere?
Theoretically ? Of course. One can -theoretically- even DoS a server just by creating benign logs, like popping mail every 1/10 seconds, if disk space is sparse enough... This is quite normal. However, cron -thus logrotate- runs typically at night so an 'attacker' has only 24 hours to accomplish this feat. Provided this is of course, that your logrotate-script monitors the snort files. If not, they will grow uncontrolled until the disk fills, like in your case. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER