From owner-freebsd-security Fri Dec 3 15:25: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A726C152A2 for ; Fri, 3 Dec 1999 15:24:54 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost [127.0.0.1]) by green.dyndns.org (8.9.3/8.9.3) with ESMTP id SAA33903; Fri, 3 Dec 1999 18:22:06 -0500 (EST) (envelope-from green@FreeBSD.org) Date: Fri, 3 Dec 1999 18:21:57 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Dan Harnett Cc: Mike Tancsa , freebsd-security@FreeBSD.org Subject: Re: Other outstanding vulnerabilities In-Reply-To: <19991203153353.5FB085D026@mail.wzrd.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 3 Dec 1999, Dan Harnett wrote: > Hello, > > It has been my experience that the setsockopt() DoS can be avoided by setting > NMBCLUSTERS to a reasonably high level and setting a limit on the number of > file descriptors that any given user can use (be it through the shell or through > /etc/login.conf). I realize this is not a fix, but it seems to work until there > is a fix available. There is a limit to socket buffer total size in 4.0. You can wait for that to come out, or possibly MFC it yourself (not too hard.) There is also work to make these resource shortages less harmful (i.e. not panic), but that's not quite done yet. Look for "sbsize". > > Dan Harnett -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message