Date: Thu, 9 Jul 1998 06:45:38 +1000 From: Bruce Evans <bde@zeta.org.au> To: freebsd-current@FreeBSD.ORG, sthaug@nethelp.no Subject: Re: Rate limit for system calls to prevent denial of service attacks? Message-ID: <199807082045.GAA12071@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>The following small program:
>
> main(){while(1) fork();}
>
>is a very effective denial of service attack against FreeBSD-2.2.6,
>despite reasonable defaults in login.conf. The problem is *not* the
>number of processes, but the system call rate. It's actually kind of
>amazing to follow this with vmstat, and see that the box is suddenly
>doing 395000 system calls per second :-) (this is a P-166).
The problem is actually the number of hog processes. If there are
100 of them then each will run for about 100ms every 10 seconds and
competing processes won't be able to get more than 1/101 of the CPU
although they may be able to run more often if they don't use much
CPU. Nicing the hogs works OK, but the process priorities apparently
don't decay fast enough to have much effect for a large number of
nasty hogs.
Bruce
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807082045.GAA12071>