Date: Wed, 8 Jul 1998 19:38:54 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: freebsd-current@FreeBSD.ORG Subject: Re: Rate limit for system calls to prevent denial of service attacks? Message-ID: <v0401172cb1c9b215dc36@[128.113.24.47]> In-Reply-To: <199807082045.GAA12071@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>>The following small program:
>>
>> main(){while(1) fork();}
>>
>> is a very effective denial of service attack against FreeBSD-2.2.6,
>> despite reasonable defaults in login.conf. The problem is *not* the
>> number of processes, but the system call rate. It's actually kind of
>> amazing to follow this with vmstat, and see that the box is suddenly
>> doing 395000 system calls per second :-) (this is a P-166).
The subject of this thread asks about adding a rate-limit for
system calls. I don't think that's a good idea, but I would like
to see some kind of throttling of calls to fork() in particular.
Every year we (RPI) have a systems-programming project which
introduces students to the fork() subroutine, and every year
someone gets their if-statements mixed up and unwittingly writes
a "fork bomb" which will bring down our remote-access machines.
Now those machines aren't freebsd (not yet, at least!), but the
idea of some extra logic in fork seems like it could be
worthwhile.
---
Garance Alistair Drosehn = gad@eclipse.its.rpi.edu
Senior Systems Programmer or drosih@rpi.edu
Rensselaer Polytechnic Institute
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v0401172cb1c9b215dc36>