In some email I received from Volker Wiegand, sie wrote:
>
> On Wed, 20 Oct 1999, Darren Reed wrote:
>
> > If DoS attacks are a concern, the port number is irrelevant. The problem
> > here with a port > 1024 is when it is running on a multi-user system that
> > `students' (in this case) can log on to and run something else instead.
> >
> Hmmm, what could be a better DoS attack than this?
>
> > In my mind, the protocol should not require every syslog client to listen
> > on such a port any more than every web browser listens on port 80. In a
> > previous email, the idea of the syslog server talking to others and
> > requesting syslog information would work better with a port number under
> > 1024.
> >
> To be honest, I don't get your point here.
In a scenario where you have every host doing logging making connections
back to a single loghost, those "client" syslog daemons don't need to listen
on whatever TCP port it is. Also it makes very little sense to have "other"
people or activity allowed on the loghost. i.e. if someone can inflict a
DoS attack on you by starting something up on your syslog port, your security
has been breached already.
Darren
