July 13, 2026
How I Exposed a Critical SIEM Vulnerability — And Why Your Infrastructure Might Be At Risk
TL;DR: Many organizations run unprotected syslog listeners on port 514. I built a tool that exploits this through IP spoofing and…
By soroush
4 min read
TL;DR: Many organizations run unprotected syslog listeners on port 514. I built a tool that exploits this through IP spoofing and multiprocess UDP floods, achieving 92,595 events/second against Splunk and rendering rate-limited Rsyslog ineffective causing complete log drop.
The Discovery
While conducting SIEM infrastructure assessments, I stumbled upon something that shouldn't exist: countless production systems running completely unprotected syslog listeners on UDP port 514.
The vulnerability isn't a zero-day or an unpatched bug. It's worse.
It's a configuration problem at scale.
Most organizations install Rsyslog (the default log collector on Linux) with factory defaults. They bind it to UDP port 514, assume their network perimeter is enough security, and move on. Meanwhile, anyone on the internal network can:
- Send unlimited syslog messages
- Spoof their IP address
- Bypass rate limits
- Crash or degrade SIEM performance
I tested this on Splunk, Ravin (a regional SIEM), and standard Rsyslog-based deployments — both with and without rate-limiting.
All of them failed.
The Core Vulnerability
Why UDP Port 514?
By default, most organizations configure their log collectors to listen on:
global(maxMessageSize="1500k")
module(load="imudp")
input(type="imudp" port="514")global(maxMessageSize="1500k")
module(load="imudp")
input(type="imudp" port="514")UDP is fast — no connection handshake, no overhead. It's perfect for collecting logs at scale.
It's also completely unauthenticated and wide open to spoofing.
The Problem With "Defenses"
I tested several common "hardening" approaches. None of them worked.
Splunk's IP filtering:
[udp://192.168.138.12:514]
connection_host = ip[udp://192.168.138.12:514]
connection_host = ipRsyslog with rate-limiting:
global(maxMessageSize="1500k")
input(type="imudp" port="514" RateLimit.Interval="5" RateLimit.Burst="25000")global(maxMessageSize="1500k")
input(type="imudp" port="514" RateLimit.Interval="5" RateLimit.Burst="25000")Both assumed single-source attacks. They didn't account for spoofing.
The Attack: IP Spoofing at Scale
Here's where it gets interesting.
Most internal networks allow IP spoofing. Administrators don't expect attackers on the inside. So I did this:
for i in {1..254}; do
sudo ip addr add 192.168.1.$i/24 dev eth0
donefor i in {1..254}; do
sudo ip addr add 192.168.1.$i/24 dev eth0
doneNow my single server had 254 simultaneous IP aliases. Each packet I sent could appear to come from a different machine.
To defenses that filter by source IP, it looked like 254 different legitimate systems all suddenly went haywire.
The Tool
I wrote a minimal Python script that:
- Creates UDP sockets bound to each spoofed IP
- Rotates through them, firing pre-built syslog packets as fast as the kernel allows
- Runs 12 parallel processes to saturate multiple CPU cores
No fancy features. No delays. Just raw UDP throughput.
The payload is intentionally minimal — just 26 bytes:
<14>Jan 01 00:00:00 a b\n<14>Jan 01 00:00:00 a b\nWhy? Because speed matters. The less time spent formatting packets, the more packets I can send.
The complete source code is available on GitHub:
https://github.com/Soroushnk/Scriptorium/tree/main/SIEM-DOS
The Results
Against Splunk (With IP Filtering)
Before Attack:
- UDP processor duty cycle: 1%
- Disk I/O duty cycle: 1.7%
- Events per second: ~404
- System load average: 0.240
- Parse queue backlog: 75 items
- Index queue: 1 KB (of 500)
After Attack:
- UDP processor duty cycle: 87.2%
- Disk I/O duty cycle: 92.2%
- Events per second: 92,595 (230x increase!)
- System load average: 4.760
- Parse queue backlog: 25,063 items
- Index queue: 470 KB (of 500) — 94% full
Result: Splunk's IP filtering provided zero additional protection. The spoofed IPs bypassed it instantly.
Against Rate-Limited Rsyslog
Rate-limiting doesn't prevent the attack — it just makes it visible in the logs:
Jul 13 23:39:05 lc rsyslogd[3756714]: imudp(*:514): 3,687,049 messages lost due to rate-limiting
Jul 13 23:39:05 lc rsyslogd[3756714]: imudp(*:514) from <a:b>: begin to drop messagesJul 13 23:39:05 lc rsyslogd[3756714]: imudp(*:514): 3,687,049 messages lost due to rate-limiting
Jul 13 23:39:05 lc rsyslogd[3756714]: imudp(*:514) from <a:b>: begin to drop messages3.6 million messages lost in a single second. The rate limiter can only drop packets; it can't prevent the flood from consuming CPU and I/O while doing so.
Result: Rate-limiting failed. Packets still consumed resources even though they were dropped.
Why This Matters
A SIEM is supposed to be your security eyes and ears. If an attacker can disable or degrade it, you're blind.
And the scary part? This attack requires almost no skill. It's just:
- Basic Python (standard library only)
- Knowledge of IP aliasing
- Understanding of syslog protocol
- Physical/logical access to the network
No exploits. No zero-days. Just configuration negligence at scale.
How to Defend Against This
For SIEM Administrators
1. Switch to TCP
TCP requires connections, making distributed spoofed attacks nearly impossible.
input(type="imtcp" port="514")input(type="imtcp" port="514")2. Implement Real Rate-Limiting
Modern Rsyslog rate-limiting is per-source-IP, but add a fallback:
input(type="imudp" port="514" RateLimit.Interval="1" RateLimit.Burst="5000")input(type="imudp" port="514" RateLimit.Interval="1" RateLimit.Burst="5000")3. Network Segmentation
Only allow specific log sources. Use ACLs and firewall rules to whitelist approved subnets.
4. Monitor for Anomalies
Alert on unusual source IP diversity. If you suddenly see 200+ unique IPs sending logs, investigate.
For Network Engineers
1. Disable IP Spoofing at the Edge
Implement RFC 2827 ingress filtering. Drop packets with source IPs that don't match the ingress interface.
2. Rate-Limit at Layer 3
Routers and firewalls can apply aggregate bandwidth limits per source and destination.
3. Monitor Connections
Alert on massive UDP flows to port 514 from unexpected sources.
The Big Picture
This vulnerability isn't about SIEM-specific bugs. It's about fundamental networking assumptions that no longer hold.
We built these systems assuming:
- Attackers are outside the network
- IP addresses are hard to spoof internally
- Everyone plays nice
All three assumptions are outdated.
Modern security architecture should assume attackers are already inside. Internal networks need the same scrutiny as perimeters.
A Final Note
This tool is for authorized security testing only. Testing against systems you don't own is illegal. Use it in lab environments, security assessments with written permission, and capacity planning exercises.
The goal isn't to break things — it's to understand how they break, so we can build better defenses.
Have you seen this vulnerability in your own infrastructure? Share your stories in the comments.
By Soroush Nekoozadeh