From owner-freebsd-questions Tue May 15 19:49: 2 2001 Delivered-To: freebsd-questions@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 2391937B43C; Tue, 15 May 2001 19:48:52 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from xena.gsicomp.on.ca ([64.228.152.235]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010516024851.KJSE16174.tomts7-srv.bellnexxia.net@xena.gsicomp.on.ca>; Tue, 15 May 2001 22:48:51 -0400 Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.1) with SMTP id f4G2kFN62878; Tue, 15 May 2001 22:46:15 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <00b401c0ddb2$23b2c710$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "John Indra" , Cc: References: <20010516092035.A79109@office.naver.co.id> Subject: Re: My network is dead because of this program :( Date: Tue, 15 May 2001 22:44:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Dear all... > > First of all, really sorry for cross-posting... > > I am running a -CURRENT system (Apr 30th 2001). There is a user in my > machine running this small program to DoS my xl0 interface. I doubt that > this program is specifically designed for xl cards though. > > Once the program is started, it starts forking childs I assume. Then after > sometime, this messages start popping to my screen: > > xl0: no memory for rx lists -- packet dropped > > After going to single user mode, cause I can't kill the offending program > once it is running in multiuser mode (even kill -9 won't work on my system), > then coming back to multiuser mode, I tried to run it and trace what it does > with truss. But, truss didn't seem to output anything at all. Then, I saw > the program state in top and it said the program is in mbuf state. > > I have searched all mailing lists archieves in > http://www.freebsd.org/search/search.html#mailinglists but wierdly, there > are no articles shown when I enter this as a query: "no memory for rx list" > > Can anyone help me trace what the program does? And how can I prevent the > program to DoS my network interface? Even when the program is started by > unprivileged user, it works, it DoS my network interface. Is this a bug? I don't know exactly what this program does, but by looking at the 'strings' output, it would appear to do a bunch of setsockopt(), socketpair(), write()s and fork()s. I imagine that it's forking like crazy (to grind your system to a half) and doing some funky socket stuff (to overload the NIC driver.) The reason why this works when run as an underpriviledged user is because a) any user can fork() and b) any user can create sockets and use the network. You should be able to kill -9 this program; however, you must make sure that you kill the parent. You may find the 'killall' command useful. There's not much that you can do to prevent the DoS of a NIC -- it could happen just as easily from the outside as from the inside (although via different means). However, you can monitor what your users are doing on the system, and take appropriate actions if they're abusing them. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message