On Mon, 16 Nov 2009, Rainer Gerhards wrote: > Hi all, > > I am working again on moving the DNS name resolution outside of the input > thread of those sources where this is potentially time-consuming and > affecting message acceptance rates. As it turned out, currently imudp seems > to be the only case. > > While this is potentially easy to do, a problem is ACLs ($AllowedSender) > which use system names rather than ip addresses. In order to check these > ACLs, we need to do a DNS lookup. Especially in the case of UDP, such a > lookup may actually case message loss and thus may be abused by an attacker > to cause a certain degree of denial of service (what also points out that > these types of ACLs are not really a good idea, even though requested by > practice). > > In the light of this, I will now do something that sounds strange at first: I > will always accept messages that require DNS lookups and enqueue these into > the main queue and do the name resolution AND the final name-based ACL check > only on the queue consumer part. Please note that it will be done BEFORE > message content is parsed, so there is no chance that buffer overlow attacks > can be carried out from non-authenticated hosts. The core idea is to move the > lengthy, potentially message-loss causing code, away from the input thread. > The only questionable effect I can currently see is that queue space is > potentially taken up by messages which will immediately be discarded and > should not be there in the first place. At the extreme end, that could lead > to loss of valid messages. But on the other hand valid messages are more > likely to be lost by the DNS name query overhead if I do the ACL check > directly in the input thread. > > As such, I think my intended move is correct. Does anyone have an argument > against the approach I am now taking?
personally I don't think that this sort of filtering belongs in rsyslog, it can be done at the OS level (with things like iptables), or rsyslog could use the tcpwrappers library. both cases would filter (by IP) prior to it hitting rsyslog in the first place. in addition, with UDP the source IP can be forged easily (rsyslog now contains this capability), so as a security measure it's questionable anyway. I agree that fewer messages will probably be lost by accepting them and checking later than by pausing to do the check initially. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
