Date: Wed, 08 Jul 1998 10:33:28 +0200 From: sthaug@nethelp.no To: freebsd-current@FreeBSD.ORG Subject: Rate limit for system calls to prevent denial of service attacks? Message-ID: <22965.899886808@verdi.nethelp.no>
next in thread | raw e-mail | index | archive | help
The following small program:
main(){while(1) fork();}
is a very effective denial of service attack against FreeBSD-2.2.6,
despite reasonable defaults in login.conf. The problem is *not* the
number of processes, but the system call rate. It's actually kind of
amazing to follow this with vmstat, and see that the box is suddenly
doing 395000 system calls per second :-) (this is a P-166).
Yes, it's still responding to input, but very slowly. On a general
login box, I think this would be a big problem.
Limiting CPU time per process or user is probably not sufficient,
unless you set it to absurdly small limits. It looks to me like we
need some sort of *rate limiting* for system calls. Anybody looked
at this?
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22965.899886808>