[syslog-ng] syslog-ng stops listen to UDP after "nmap -sU"?

Kent =?iso-8859-1?q?Engstr=F6m?= kent@unit.liu.se
17 Feb 2000 19:15:23 +0100

Today, I installed syslog-ng 1.3.15 on Solaris 7. I have the following very
simple config file (I am still evaluating syslog-ng):

  options { use_fqdn(yes); };
  source syslog_udp {
          udp(ip(xxx.yyy.zzz.www) port(514));
  source syslog_internal {
  destination syslog_file {
  log { source(syslog_udp); source(syslog_internal); destination(syslog_file); };

xxx.yyy.zzz.www is a virtual IP-address that is assigned to whatever server
that is currently providing syslog service to the rest of the internal network.

Everything worked fine until I decided to portscan the syslog server.
When I did a UDP scan, syslog-ng stopped logging. This is what happens:

*) I start syslog-ng

*) I connect to our mail server, and see how the connection is logged in
   the file /somepath/logs/2000-02-17-mailserver.our.domain-mail

*) I run netstat -a and observe the line

xxx.yyy.zzz.www.514                            Idle

*) I execute "nmap -p 514 -sU xxx.yyy.zzz.www" on a Linux box

*) I run netstat -a and observe that there is no longer any entry for port 514.

*) The syslog-ng process is still running, though.

*) I connect to our mail server again. The connection is not logged
   by syslog-ng. In fact, nothing seems to be logged at all.

The packet that is sent by nmap during an "-sU scan" is a UDP packet
with zero bytes of data.

Obviously, this could be an easy way for a cracker do disable a loghost
in preparation for an attack on another host.

Can anybody repeat this?

Kent Engström,		Linköping University Incident Response Team
kent@unit.liu.se  	abuse@liu.se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN