Re: potential DoS of tcplogd in package iplogger

To: Debian Security List <debian-security@lists.debian.org>
Subject: Re: potential DoS of tcplogd in package iplogger
From: Engard Ferenc <fery@pons.sote.hu>
Date: Sat, 13 Nov 1999 01:25:54 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.02.9911130120310.554-100000@domesticus.sote.hu>
Reply-to: s-fery@kkt.sote.hu
In-reply-to: <[🔎] 4.2.0.58.19991112143200.00a682a0@mailserv.tem.nhl.nl>

On Fri, 12 Nov 1999, Onno wrote:

>At 09:37 PM 11/11/99 +0100, Ralf Nyren wrote:

>>In package iplogger there is a daemon, tcplogd, which logs incoming
>>tcp-connection attempts to syslog.
>>  It seems that this daemon forks a child for every connection discovered and
>>if for example the machine running tcplogd is syn-flooded there will be a
>>lot of tcplogd's forked.

>Do you mean that you didn't -compile- it in the kernel???
>(I'm not sure there is an option or not....)
>Or that you didn't enable it (root# sysctl -w net/ipv4/tcp_syncookies=1) ???

You don't need to get a synflood, anyway. I suspect that even one or
two portscan in a short time will be enough. (I think that that was
the problem with our machine, when it ran 20x tcplogd, and there was
a 74 load average...) :(

Bye:
Circum

 __  @
/  \    _   _                                           Engárd Ferenc
l    | ( \ /  | | (\/)                      mailto:s-fery@kkt.sote.hu
\__/ | |   \_ \_/ I  I                    http://pons.sote.hu/~s-fery

Reply to:

Follow-Ups:
- Re: potential DoS of tcplogd in package iplogger
  - From: Onno <ebbin200@tech.nhl.nl>

References:
- Re: potential DoS of tcplogd in package iplogger
  - From: Onno <ebbin200@tech.nhl.nl>

Prev by Date: Re: potential DoS of tcplogd in package iplogger
Next by Date: Dial-in mgetty line security
Previous by thread: Re: potential DoS of tcplogd in package iplogger
Next by thread: Re: potential DoS of tcplogd in package iplogger
Index(es):
- Date
- Thread