Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Snort DOS?
  • From: maarten van den Berg <maarten@xxxxxxx>
  • Date: Fri, 16 May 2003 23:03:44 +0200
  • Message-id: <200305162303.44042.maarten@xxxxxxx>
On Friday 16 May 2003 22:42, Jeff Harris wrote:
> I ran into a situation last week, where my /var partion completely filled
> up. Upon investigation, I realized that /var/log/snort filled 85% of the
> space available on the partition. Having no space left on /var left no
> space for incoming mail and no space for squid cache, and slowed my
> machine to a crawl.
>
> Would it be theoretically possible to launch a herd of port scanners
> against a known host to fill up someone's /var drive and shut them down?
> Or, am I missing something in a logrotate or config setting somewhere?

Theoretically ? Of course. One can -theoretically- even DoS a server just by
creating benign logs, like popping mail every 1/10 seconds, if disk space is
sparse enough...

This is quite normal. However, cron -thus logrotate- runs typically at night
so an 'attacker' has only 24 hours to accomplish this feat. Provided this is
of course, that your logrotate-script monitors the snort files. If not, they
will grow uncontrolled until the disk fills, like in your case.

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

< Previous Next >
References