[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Snort DOS?



On Friday 16 May 2003 22:42, Jeff Harris wrote:
> I ran into a situation last week, where my /var partion completely filled
> up. Upon investigation, I realized that /var/log/snort filled 85% of the
> space available on the partition. Having no space left on /var left no
> space for incoming mail and no space for squid cache, and slowed my
> machine to a crawl.
>
> Would it be theoretically possible to launch a herd of port scanners
> against a known host to fill up someone's /var drive and shut them down?
> Or, am I missing something in a logrotate or config setting somewhere?

Theoretically ? Of course.  One can -theoretically- even DoS a server just by 
creating benign logs, like popping mail every 1/10 seconds, if disk space is 
sparse enough...

This is quite normal. However, cron -thus logrotate- runs typically at night 
so an 'attacker' has only 24 hours to accomplish this feat.  Provided this is 
of course, that your logrotate-script monitors the snort files.  If not, they 
will grow uncontrolled until the disk fills, like in your case.  

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here