Date: Fri, 10 Jul 1998 04:45:49 -0400 From: Mark Mayo <mark@vmunix.com> To: Archie Cobbs <archie@whistle.com>, Garance A Drosihn <drosih@rpi.edu> Cc: freebsd-current@FreeBSD.ORG Subject: Re: Rate limit for system calls to prevent denial of service attacks? Message-ID: <19980710044549.A26780@vmunix.com> In-Reply-To: <199807091815.LAA09514@bubba.whistle.com>; from Archie Cobbs on Thu, Jul 09, 1998 at 11:15:28AM -0700 References: <v0401172cb1c9b215dc36@[128.113.24.47]> <199807091815.LAA09514@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 09, 1998 at 11:15:28AM -0700, Archie Cobbs wrote:
> Garance A Drosihn writes:
> > >>The following small program:
> > >>
> > >> main(){while(1) fork();}
> > >>
> > >> is a very effective denial of service attack against FreeBSD-2.2.6,
> > >> despite reasonable defaults in login.conf. The problem is *not* the
> > >> number of processes, but the system call rate. It's actually kind of
> > >> amazing to follow this with vmstat, and see that the box is suddenly
> > >> doing 395000 system calls per second :-) (this is a P-166).
> >
> > The subject of this thread asks about adding a rate-limit for
> > system calls. I don't think that's a good idea, but I would like
> > to see some kind of throttling of calls to fork() in particular.
>
> Why would 100 processes doing
>
> main(){while(1) getpid();}
>
> be accounted for any differently than 100 processes doing
>
> main(){while(1) /* infinite loop in user mode */;}
Well, in my short test, while doing while(1) fork(); my mpg123
player basically stopped - a few short cracks and squawks here
and there. Login.conf was limiting me to 64 processes, and
although I could still type, that's about it. :-)
Syscall rate approached 700,000/sec for a short time, then fell
back to about 340,000/sec.
while(1) getpid(); basically had no effect on my mp3 player, and
I was able to run netscape, etc. Still about 380,000 syscalls per
second, but context switches per second were about 300, as opposed
to 40/sec during the fork() loop.
So forking definately seems to be worse in terms of denial of
service type attacks..
I'm not qualified to comment on why.. :-)
I would assume scheduling that rapidly would be a source of
problems.
System was 3.0-CURRENT/June-10 on a PPro 200.
-Mark
>
> ? Or am I misunderstanding something.
>
> -Archie
>
> ___________________________________________________________________________
> Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
--
------------------------------------------------------------------------
Mark Mayo mark@vmunix.com
RingZero Comp. http://www.vmunix.com/mark
------------------------------------------------------------------------
"The problem is how do you build tools that understand your programs
at a deeper semantic level." - James Gosling
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980710044549.A26780>