[rbldnsd] Re: logfile > 2G may result in DoS to rbldnsd
Michael Tokarev
mjt at tls.msk.ru
Tue Jan 13 18:07:27 MSK 2004
[Cc'd to rbldnsd mailinglist]
Anders Henke wrote:
[]
> However, I came across a minor problem: when logging to file and the
> logfile's size reaches 2G (exactly 2^31-1), rbldnsd stops working:
> it keeps running, but doesn't answer queries anymore and doesn't log
> (e.g. to syslog) about having a problem.
Hmm.
Which OS you're using? The situation you described does not look as
normal. It should not stall, but it should just stop logging (best
case) or should be killed by SIGXFSZ signal (worst case). It will be
interesting to see some trace (strace/ktrace/truss) output of the
situation.
> On a busy host, this can be some kind of DoS: busy hosts already have a
> few 10M of requests per day and can handle them with almost no CPU or
> RAM ressources, so usual DoS-attacks are no problem; if someone floods such
> a host with a few million additional requests, those hosts can reach the
> 2G-limit before the daily logrotate arrives (one of our sbl-mirrors has
> been non-functional for an hour this morning due to this issue).
Well yes. In fact, I added logging just as a debugging tool, it is not
supposed to be enabled on production system, exactly due to the amount of
data it generates. If you want to perform logging, I highly recommend
to rotate logs much more frequently, e.g. once per hour or so. All after
all, huge logfiles are almost impossible to deal with anyway.. ;)
> Of course, best solution would be to enable rbldnsd for O_LARGEFILE-support ...
It is possible and should be easy to do. E.g., by passing
O_LARGEFILE to log open() routine if defined. But before
this, I'm very interested to see what exactly it is doing
when it reaches 2Mb logfile limit. It should not stall like
you described, regardless.
/mjt
More information about the rbldnsd
mailing list