Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 3 Feb 2002 21:41:14 +0000 (GMT)
From:      Mike Silbersack <silby@silby.com>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        Mike Barcroft <mike@freebsd.org>, Mike Makonnen <mike_makonnen@yahoo.com>, Gaspar Chilingarov <nm@web.am>, <freebsd-hackers@freebsd.org>
Subject:   Re: fork rate limit
Message-ID:  <20020203213819.C13287-100000@patrocles.silby.com>
In-Reply-To: <Pine.NEB.3.96L.1020203221240.34548B-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Sun, 3 Feb 2002, Robert Watson wrote:

> BTW, many sites find the per-uid process limits helpful in preventing fork
> bombs from crippling the site.  The default configuration may not be
> sufficiently agressive, and while it's not the same as a rate limit, it
> does have the effect of topping them.  If there is a strong desire for
> rate-limiting, slotting it into the current resource handling code
> shouldn't be hard at all -- the state can be stored in uidinfo.
>
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
> robert@fledge.watson.org      NAI Labs, Safeport Network Services

Yeah, I threw in the maxprocperuid auto-capping thinking that it would
help reduce the nastiness of forkbombs.  However, as PR kern/23740 points
out, one of the problems we're encountering now is that the proc
structures are large enough that all kernel memory can be exhausted.
We're going to have to cap maxproc so that proc structures can't use more
than 50% of system memory in order to make sure that forkbombs can't
seriously hurt a box.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020203213819.C13287-100000>