[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Snort DOS?
On Friday 16 May 2003 22:42, Jeff Harris wrote:
> I ran into a situation last week, where my /var partion completely filled
> up. Upon investigation, I realized that /var/log/snort filled 85% of the
> space available on the partition. Having no space left on /var left no
> space for incoming mail and no space for squid cache, and slowed my
> machine to a crawl.
> Would it be theoretically possible to launch a herd of port scanners
> against a known host to fill up someone's /var drive and shut them down?
> Or, am I missing something in a logrotate or config setting somewhere?
Theoretically ? Of course. One can -theoretically- even DoS a server just by
creating benign logs, like popping mail every 1/10 seconds, if disk space is
This is quite normal. However, cron -thus logrotate- runs typically at night
so an 'attacker' has only 24 hours to accomplish this feat. Provided this is
of course, that your logrotate-script monitors the snort files. If not, they
will grow uncontrolled until the disk fills, like in your case.
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here