Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 Apr 2004 11:37:12 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        z3l3zt@hackunite.net
Cc:        freebsd-security@freebsd.org
Subject:   Re: Is log_in_vain really good or really bad?
Message-ID:  <40814F28.30501@mac.com>
In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net>
References:  <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
z3l3zt@hackunite.net wrote:
> Yesterday someone "attacked" by box by connection to several ports.. In
> other words, a simple portscan.. yet, since my box has "log_in_vain"
> enabled, so it tries to log everything to /var/log/messages, [ ... ]
> Isn't this a quite simple way of making a DoS attack against a system?

Certainly turning on log_in_vain makes it easier to DoS a system, but it's 
possible to perform a DoS against anything if someone tries hard enough.

Basicly, log_in_vain can be used to turn a system into a network sensor which 
tracks incoming connection requests.  Normally, one has a firewall in place 
which blocks the majority of ports used by a port scan, and your sensor only 
detects the remainder-- ie, what you let through, in addition to any local 
traffic.  Seeing your sensor get horribly busy like you did tends to indicate 
  you're monitoring unfiltered Internet traffic (or your firewall is busted), 
in which case be prepared to possibly deal with hundreds of thousands of lines 
of logging per day.

Or it indicates an internal machine has been virusized and is scanning the 
local subnet for other hosts to infect (or someone connecting a laptop to your 
network, etc).

I've been seeing about 500 connection attempts per day per monitored IP 
address.  For what it's worth, you provoked my curiousity enough to see what 
the last week looks like in terms of a histogram by port #:

% zcat /var/log/system.log.*.gz | grep 'TCP.* S' | awk -F: '{print $7}' \
| awk '{print $1}' | sort -n | uniq -c | sort -nr | head -30
20654 1433
4622 4444
4458 445
3451 135
3189 139
2455 80
  448 6129
  270 3127
  140 2745
  124 4000
   96 21
   87 4899
   80 1025
   79 1080
   65 5000
   58 3128
   41 20168
   41 1981
   34 25
   28 3410
   26 36442
   23 23
   17 22
   15 443
   13 32772
   13 113
    7 81
    7 8000
    6 8080
    5 901

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40814F28.30501>