Date: Sat, 17 Apr 2004 11:37:12 -0400 From: Chuck Swiger <cswiger@mac.com> To: z3l3zt@hackunite.net Cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? Message-ID: <40814F28.30501@mac.com> In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net>
next in thread | previous in thread | raw e-mail | index | archive | help
z3l3zt@hackunite.net wrote: > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, [ ... ] > Isn't this a quite simple way of making a DoS attack against a system? Certainly turning on log_in_vain makes it easier to DoS a system, but it's possible to perform a DoS against anything if someone tries hard enough. Basicly, log_in_vain can be used to turn a system into a network sensor which tracks incoming connection requests. Normally, one has a firewall in place which blocks the majority of ports used by a port scan, and your sensor only detects the remainder-- ie, what you let through, in addition to any local traffic. Seeing your sensor get horribly busy like you did tends to indicate you're monitoring unfiltered Internet traffic (or your firewall is busted), in which case be prepared to possibly deal with hundreds of thousands of lines of logging per day. Or it indicates an internal machine has been virusized and is scanning the local subnet for other hosts to infect (or someone connecting a laptop to your network, etc). I've been seeing about 500 connection attempts per day per monitored IP address. For what it's worth, you provoked my curiousity enough to see what the last week looks like in terms of a histogram by port #: % zcat /var/log/system.log.*.gz | grep 'TCP.* S' | awk -F: '{print $7}' \ | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -30 20654 1433 4622 4444 4458 445 3451 135 3189 139 2455 80 448 6129 270 3127 140 2745 124 4000 96 21 87 4899 80 1025 79 1080 65 5000 58 3128 41 20168 41 1981 34 25 28 3410 26 36442 23 23 17 22 15 443 13 32772 13 113 7 81 7 8000 6 8080 5 901 -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40814F28.30501>