Date: Tue, 3 Sep 2002 11:52:24 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Alfred Perlstein <bright@mu.org> Cc: Benjamin Krueger <benjamin@seattleFenix.net>, Ivan Streetovich <bad_dot_c@yahoo.com>, <chat@freebsd.org>, <security@freebsd.org> Subject: Re: From: Ivan Streetovich, Japan Message-ID: <20020903115002.T5618-100000@patrocles.silby.com> In-Reply-To: <20020903055340.GF73747@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2 Sep 2002, Alfred Perlstein wrote: > * Mike Silbersack <silby@silby.com> [020902 17:06] wrote: > > > > This is just another local mbuf exhaustion attack. We should probably put > > in countermeasures for this one of these days, but it's not all that much > > of a serious problem. If you have a shell machine you wish to get your > > access revoked on, then by all means go ahead and use this program. > > I think the 'sbsize' ulimit already protects people from this. > > I think the problem is that it's not set by default, however I think > that's somewhat of a good thing as it makes sure we don't bomb out > when someone tries to bench us. Doh, I had forgotten about that setting. Sbsize does work decently in such a situation, but it's not ready to be enabled by default. In addition to the fact that it would bomb out people doing high volume benchmarks, there's also the problem that it accounts for receive buffers, which are empty most of the time. Bosko and I had thrown around some ideas on how to improve mbuf limiting, but we haven't had time to work on them yet. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020903115002.T5618-100000>