From owner-freebsd-current  Wed Jul  8 03:22:58 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA23413
          for freebsd-current-outgoing; Wed, 8 Jul 1998 03:22:58 -0700 (PDT)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA23388
          for <freebsd-current@freebsd.org>; Wed, 8 Jul 1998 03:22:51 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 22967 invoked by uid 1001); 8 Jul 1998 08:33:28 +0000 (GMT)
To: freebsd-current@FreeBSD.ORG
Subject: Rate limit for system calls to prevent denial of service attacks?
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Wed, 08 Jul 1998 10:33:28 +0200
Message-ID: <22965.899886808@verdi.nethelp.no>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

The following small program:

	main(){while(1) fork();}

is a very effective denial of service attack against FreeBSD-2.2.6, 
despite reasonable defaults in login.conf. The problem is *not* the
number of processes, but the system call rate. It's actually kind of
amazing to follow this with vmstat, and see that the box is suddenly
doing 395000 system calls per second :-) (this is a P-166).

Yes, it's still responding to input, but very slowly. On a general
login box, I think this would be a big problem.

Limiting CPU time per process or user is probably not sufficient,
unless you set it to absurdly small limits. It looks to me like we
need some sort of *rate limiting* for system calls. Anybody looked
at this?

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message