Control: retitle -1 vnc4server: shows (and blacklists) wrong IP: 0.0.0.0, can
lead to DoS
Control: severity -1 important
Hi,
Brett Wuth wrote:
> A workaround is to disable the blacklist altogether by setting the
> timeout to 0.
This helps against the blacklisting issue, but the real culprit is
that obviously the real IP doesn't even get into the output/log at
all.
Security implications don't only pop up when it comes to blacklisting,
but also when analyzing an attack based on the logs.
I had such a case today and instead of the attacker's IP I only found
"0.0.0.0" in the log -- which was kind of annoying as I had to bother
our network security guys to get the IP of the attacker from the
firewall logs.
I'm raising the severity to important as writing the wrong IP into the
log can be seen as some kind of data loss. (I don't think it's that
kind of data loss which validates RC severity.)
Brett Wuth wrote:
> This bug has cropped up on one of the systems I administer. It
> appears to be the result of *all* client IPv6 addresses being
> incorrectly translated into the IPv4 address 0.0.0.0, and so lumped in
> together thus enabling a denial of service.
I've just verified that a connection from a Wheezy machine is logged
as "0.0.0.0" even if the server machine only has IPv4 (plus an fe80::
link local address).
(JFTR: I also get 0.0.0.0 if I connect using the server's IPv6 link
local address.)
So I think this is not an IPv6-only problem. It's though possible that
there may be two separate issues both leading to "0.0.0.0" being
displayed -- of which one at least happens with IPv4 and the other is
IPv6-only as Brett suggests.
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
