From owner-freebsd-hackers Thu Jun 11 13:01:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA12490 for freebsd-hackers-outgoing; Thu, 11 Jun 1998 13:01:49 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from unix.tfs.net (as1-p98.tfs.net [139.146.210.98]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA12445 for ; Thu, 11 Jun 1998 13:01:28 -0700 (PDT) (envelope-from jbryant@unix.tfs.net) Received: (from jbryant@localhost) by unix.tfs.net (8.8.8/8.8.5) id PAA22953; Thu, 11 Jun 1998 15:01:23 -0500 (CDT) From: Jim Bryant Message-Id: <199806112001.PAA22953@unix.tfs.net> Subject: Re: [Fwd: Secure Ping 1.0] In-Reply-To: from Niall Smart at "Jun 11, 98 08:28:43 pm" To: njs3@doc.ic.ac.uk (Niall Smart) Date: Thu, 11 Jun 1998 15:01:22 -0500 (CDT) Cc: freebsd-hackers@FreeBSD.ORG Reply-to: jbryant@unix.tfs.net X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 3.0-CURRENT #16: Fri Jun 5 01:17:30 CDT 1998 X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In reply: > On Jun 11, 2:10pm, Robert Watson wrote: > } Subject: Re: [Fwd: Secure Ping 1.0] > > On Thu, 11 Jun 1998, IBS / Andre Oppermann wrote: > > > > > This looks promising ;-) > > > > Personally, I was under-impressed. This doesn't stop anyone from writing > > a tiny program that sends 64k UDP packets to deny service. > > Yeah. Pointless or what? What you really need is resource limits for > sockets. Some Japanese folks worked on this a while ago, but I've lost > the URL. It looked good but I'm not sure if its still being maintained. > Resource limits for sockets would be neato, I'm sure the virtual hosting > people would go crazy for it. I'd guess that you could shim it in pretty > easily at the top of the sockets interface without too much trouble. > Linux can do something like this using some special device file but I > don't think its enforcable on a user by user basis. mebbe limiting icmp, but can global socket limits create an unusable situation. heck such limits could be imposed that would prevent people from doing legitimate tasks. whatever happened to bandwidth limiting? an intelligent bandwidth limiting algorithm could detect a icmp flood and filter it's bandwidth down to a trickle.. other protocols could be done the same way. the original "secure-ping" idea presented is useful for preventing abuse by the casual unix user. anyhow, what kind of idiot keeps a compiler user-accessable in an untrusted environment?! mebbe a rtprio-type function that would operate on valid streams that have been bandwidth limited. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ Inet: jbryant@tfs.net AX.25: kc5vdj@wv0t.#neks.ks.usa.noam grid: EM28pw voice: KC5VDJ - 6 & 2 Meters AM/FM/SSB, 70cm FM. http://www.tfs.net/~jbryant ------------------------------------------------------------------------------ HF/6M/2M: IC-706-MkII, 2M: HTX-212, 2M: HTX-202, 70cm: HTX-404, Packet: KPC-3+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message