Date: Thu, 09 Jul 1998 22:24:37 -0700 From: Mike Smith <mike@smith.net.au> To: sthaug@nethelp.no Cc: freebsd-current@FreeBSD.ORG Subject: Re: Rate limit for system calls to prevent denial of service attacks? Message-ID: <199807100524.WAA05713@antipodes.cdrom.com> In-Reply-To: Your message of "Wed, 08 Jul 1998 10:33:28 %2B0200." <22965.899886808@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> The following small program:
>
> main(){while(1) fork();}
>
> is a very effective denial of service attack against FreeBSD-2.2.6,
> despite reasonable defaults in login.conf. The problem is *not* the
> number of processes, but the system call rate. It's actually kind of
> amazing to follow this with vmstat, and see that the box is suddenly
> doing 395000 system calls per second :-) (this is a P-166).
8)
> Limiting CPU time per process or user is probably not sufficient,
> unless you set it to absurdly small limits. It looks to me like we
> need some sort of *rate limiting* for system calls. Anybody looked
> at this?
There was an interesting paper presented at Usenix this year on system
QoS (as opposed to network QoS). You should try chasing the
proceedings, as I'm certain that one of the platforms it was developed
on was FreeBSD.
Needless to say, a module like this would be *very* desirable.
--
\\ Sometimes you're ahead, \\ Mike Smith
\\ sometimes you're behind. \\ mike@smith.net.au
\\ The race is long, and in the \\ msmith@freebsd.org
\\ end it's only with yourself. \\ msmith@cdrom.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807100524.WAA05713>