Date: Thu, 9 Jul 1998 11:15:28 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: drosih@rpi.edu (Garance A Drosihn) Cc: freebsd-current@FreeBSD.ORG Subject: Re: Rate limit for system calls to prevent denial of service attacks? Message-ID: <199807091815.LAA09514@bubba.whistle.com> In-Reply-To: <v0401172cb1c9b215dc36@[128.113.24.47]> from Garance A Drosihn at "Jul 8, 98 07:38:54 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Garance A Drosihn writes:
> >>The following small program:
> >>
> >> main(){while(1) fork();}
> >>
> >> is a very effective denial of service attack against FreeBSD-2.2.6,
> >> despite reasonable defaults in login.conf. The problem is *not* the
> >> number of processes, but the system call rate. It's actually kind of
> >> amazing to follow this with vmstat, and see that the box is suddenly
> >> doing 395000 system calls per second :-) (this is a P-166).
>
> The subject of this thread asks about adding a rate-limit for
> system calls. I don't think that's a good idea, but I would like
> to see some kind of throttling of calls to fork() in particular.
Why would 100 processes doing
main(){while(1) getpid();}
be accounted for any differently than 100 processes doing
main(){while(1) /* infinite loop in user mode */;}
? Or am I misunderstanding something.
-Archie
___________________________________________________________________________
Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807091815.LAA09514>