Date: Wed, 17 Jul 2002 09:58:08 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717165807.GA25404@blossom.cjclark.org> In-Reply-To: <20020717022619.A8351@iguana.icir.org> References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 17, 2002 at 02:26:19AM -0700, Luigi Rizzo wrote:
> On Tue, Jul 16, 2002 at 11:46:47PM -0700, Crist J. Clark wrote:
> ...
> > > Bottom line is that (i believe) log messages generated by ipfw should
> > > be rate-limited to some not-too-large value (maybe controlled by
> > > a sysctl variable).
> ...
> > > static last_log, log_left;
> > >
> > > if (last_log != time_second) {
> > > last_log = time_second;
> > > log_left = ipfw_log_rate;
> > > }
> > > if (log_left == 0)
> > > return;
> > > log_left--;
> > > ----------------
> >
> > Errr... Isn't this syslogd(8)'s job?
>
> i do not see any such option in syslogd.
Let me rephrase, "Shouldn't this be syslogd(8)'s job?"
> The only thing syslogd does is
>
> .... last message repeated 29 times
>
> but that will not break the loop that you could generate
> by improperly setting an ipfw rule.
It would for the example you gave. (Well, it doesn't "break the loop,"
but it does slow it wa-ay down.)
> That's the whole point of
> my proposal above -- and given it is two instructions per log-entry,
> plus another 3 instructions per second, i think it is worthwhile
> having it.
I just really do not think that this is the right place for such a
limit. I don't like the idea that the firewall code just starts
dropping notifications without way to know about it. Think about what
happens for your example, a packet comes in that gets logged which
triggers a syslog cascade until we hit the limit. What we end up with
is only logging a small windows separated by at least a second, and
the logs are still almost entirely filled with the syslog feedback.
Of course the "right" thing to do is to configure your 'log' rules
correctly to avoid feedback loops. I think this is a case where we
should let the administrator shoot himself in the foot if he wants
to. If someone did log her own syslog packets, I think that she would
find out and fix it pretty quickly. Even with this rate limiting,
people are still going to have to fix their rules otherwise their logs
will be pretty much useless, filled with unintersting gunk and
possibly dropping most of the interesting data.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717165807.GA25404>