From owner-freebsd-current Wed Jul 8 13:45:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26240 for freebsd-current-outgoing; Wed, 8 Jul 1998 13:45:50 -0700 (PDT) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.15.68.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26223 for ; Wed, 8 Jul 1998 13:45:44 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id GAA12071; Thu, 9 Jul 1998 06:45:38 +1000 Date: Thu, 9 Jul 1998 06:45:38 +1000 From: Bruce Evans Message-Id: <199807082045.GAA12071@godzilla.zeta.org.au> To: freebsd-current@FreeBSD.ORG, sthaug@nethelp.no Subject: Re: Rate limit for system calls to prevent denial of service attacks? Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >The following small program: > > main(){while(1) fork();} > >is a very effective denial of service attack against FreeBSD-2.2.6, >despite reasonable defaults in login.conf. The problem is *not* the >number of processes, but the system call rate. It's actually kind of >amazing to follow this with vmstat, and see that the box is suddenly >doing 395000 system calls per second :-) (this is a P-166). The problem is actually the number of hog processes. If there are 100 of them then each will run for about 100ms every 10 seconds and competing processes won't be able to get more than 1/101 of the CPU although they may be able to run more often if they don't use much CPU. Nicing the hogs works OK, but the process priorities apparently don't decay fast enough to have much effect for a large number of nasty hogs. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message