Monday, August 3, 2009

SYSLOG and SNMP Bombs

Problem:

This issue is more like the MAIL BOMB ATTACK.

Unauthorized users can send large amounts of large log messages to your logging server, often filling up disk space on you system, denying collection of additional logging data.

These attacks usually involve the unauthorized user(s) sending thousands of large log messages to your server.

Once the disk fills up, additional messages are rejected by the server.

Solutions:

*

Deploy monitoring systems

Ensure your monitoring systems monitor the number of log messages coming into your server, and reporting sudden spikes in traffic.

In addition, monitoring systems should check for active disk space on your systems, and reporting when your partitions are in jeopardy.
*

Ensure log directories are on dedicated disk partitions

Ensure that your mail spool and log directories would not affect other aspects of the system if they where filled.

For example, having a log message directory on a Unix ROOT file system may effect the availability of the system itself if the system was subject to a successfull Denial Of Service Attack.
*

Report abuse to your Internet Service Provider

When a Denial Of Service attack is detected on your systems, contact the Security Department of your Internet Service Provider to have them assist in tracking down the source of the active attack.

No comments: