Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Jul 2000 10:59:01 +0200 (CEST)
From:      Paul Herman <pherman@frenchfries.net>
To:        core-ix@hushmail.com
Cc:        freebsd-arch@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG
Subject:   Re: Some proposals to FreeBSD kernel
Message-ID:  <Pine.BSF.4.21.0007101043230.265-100000@bagabeedaboo.security.at12.de>
In-Reply-To: <200007100823.BAA07998@mail3.hushmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10 xxx -1 core-ix@hushmail.com wrote:

> Some days ago my friend tell me that with simple user rights
> and whit only 1 line of code he could crash my machine. I laught
> but he did it :(.
> 
> What he wrote was ' int main(void) {while(1) fork(); }'  compiled it
> and run it. Within a second /kernel said "proc: table is full" and 
> died.

This DoS is probably as old as you are.  :)  Setting proper limits on
your system, like "maxproc" and "stacksize" et al. in /etc/login.conf
will clamp down on this.

"Security for a server also means protection against itself."

> So I sit down and wrote a static library that introduse a new fork()
> (nfork()) and _exit() (nexit()) whose only purpose is to lower the 
> effect ot fast fork()s by sleeping accordingly to the number of times
> fork() was called.

Your code is always welcome here,  :)  however most people here will
just tell you what I've just told you.

Perhaps a discussion of something like FORK_RATELIMIT along the lines
of ICMP_BANDLIM is in order?  After an adjustable threshold forks
slowly start slowing down, rather than coughing up a "Resource
temporarily unavailable"?

-Paul.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007101043230.265-100000>