From owner-freebsd-hackers  Sun Feb  3 19:37:45 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from patrocles.silby.com (d127.as1.nwbl0.wi.voyager.net [169.207.130.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0C11237B47A; Sun,  3 Feb 2002 19:37:35 -0800 (PST)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.11.6/8.11.6) with ESMTP id g13LfEa13399;
	Sun, 3 Feb 2002 21:41:15 GMT
	(envelope-from silby@silby.com)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Sun, 3 Feb 2002 21:41:14 +0000 (GMT)
From: Mike Silbersack <silby@silby.com>
To: Robert Watson <rwatson@freebsd.org>
Cc: Mike Barcroft <mike@freebsd.org>,
	Mike Makonnen <mike_makonnen@yahoo.com>,
	Gaspar Chilingarov <nm@web.am>, <freebsd-hackers@freebsd.org>
Subject: Re: fork rate limit
In-Reply-To: <Pine.NEB.3.96L.1020203221240.34548B-100000@fledge.watson.org>
Message-ID: <20020203213819.C13287-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Sun, 3 Feb 2002, Robert Watson wrote:

> BTW, many sites find the per-uid process limits helpful in preventing fork
> bombs from crippling the site.  The default configuration may not be
> sufficiently agressive, and while it's not the same as a rate limit, it
> does have the effect of topping them.  If there is a strong desire for
> rate-limiting, slotting it into the current resource handling code
> shouldn't be hard at all -- the state can be stored in uidinfo.
>
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
> robert@fledge.watson.org      NAI Labs, Safeport Network Services

Yeah, I threw in the maxprocperuid auto-capping thinking that it would
help reduce the nastiness of forkbombs.  However, as PR kern/23740 points
out, one of the problems we're encountering now is that the proc
structures are large enough that all kernel memory can be exhausted.
We're going to have to cap maxproc so that proc structures can't use more
than 50% of system memory in order to make sure that forkbombs can't
seriously hurt a box.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message