Date: Wed, 17 Jul 2002 09:58:08 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717165807.GA25404@blossom.cjclark.org> In-Reply-To: <20020717022619.A8351@iguana.icir.org> References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 17, 2002 at 02:26:19AM -0700, Luigi Rizzo wrote: > On Tue, Jul 16, 2002 at 11:46:47PM -0700, Crist J. Clark wrote: > ... > > > Bottom line is that (i believe) log messages generated by ipfw should > > > be rate-limited to some not-too-large value (maybe controlled by > > > a sysctl variable). > ... > > > static last_log, log_left; > > > > > > if (last_log != time_second) { > > > last_log = time_second; > > > log_left = ipfw_log_rate; > > > } > > > if (log_left == 0) > > > return; > > > log_left--; > > > ---------------- > > > > Errr... Isn't this syslogd(8)'s job? > > i do not see any such option in syslogd. Let me rephrase, "Shouldn't this be syslogd(8)'s job?" > The only thing syslogd does is > > .... last message repeated 29 times > > but that will not break the loop that you could generate > by improperly setting an ipfw rule. It would for the example you gave. (Well, it doesn't "break the loop," but it does slow it wa-ay down.) > That's the whole point of > my proposal above -- and given it is two instructions per log-entry, > plus another 3 instructions per second, i think it is worthwhile > having it. I just really do not think that this is the right place for such a limit. I don't like the idea that the firewall code just starts dropping notifications without way to know about it. Think about what happens for your example, a packet comes in that gets logged which triggers a syslog cascade until we hit the limit. What we end up with is only logging a small windows separated by at least a second, and the logs are still almost entirely filled with the syslog feedback. Of course the "right" thing to do is to configure your 'log' rules correctly to avoid feedback loops. I think this is a case where we should let the administrator shoot himself in the foot if he wants to. If someone did log her own syslog packets, I think that she would find out and fix it pretty quickly. Even with this rate limiting, people are still going to have to fix their rules otherwise their logs will be pretty much useless, filled with unintersting gunk and possibly dropping most of the interesting data. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717165807.GA25404>