From owner-freebsd-current Fri Jul 10 13:43:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA09020 for freebsd-current-outgoing; Fri, 10 Jul 1998 13:43:16 -0700 (PDT) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08932 for ; Fri, 10 Jul 1998 13:42:51 -0700 (PDT) (envelope-from mark@vnode.vmunix.com) Received: (from mark@localhost) by vnode.vmunix.com (8.8.8/8.8.8) id EAA26997; Fri, 10 Jul 1998 04:45:49 -0400 (EDT) (envelope-from mark) Message-ID: <19980710044549.A26780@vmunix.com> Date: Fri, 10 Jul 1998 04:45:49 -0400 From: Mark Mayo To: Archie Cobbs , Garance A Drosihn Cc: freebsd-current@FreeBSD.ORG Subject: Re: Rate limit for system calls to prevent denial of service attacks? References: <199807091815.LAA09514@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199807091815.LAA09514@bubba.whistle.com>; from Archie Cobbs on Thu, Jul 09, 1998 at 11:15:28AM -0700 X-Operating-System: FreeBSD 2.2.6-STABLE i386 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Jul 09, 1998 at 11:15:28AM -0700, Archie Cobbs wrote: > Garance A Drosihn writes: > > >>The following small program: > > >> > > >> main(){while(1) fork();} > > >> > > >> is a very effective denial of service attack against FreeBSD-2.2.6, > > >> despite reasonable defaults in login.conf. The problem is *not* the > > >> number of processes, but the system call rate. It's actually kind of > > >> amazing to follow this with vmstat, and see that the box is suddenly > > >> doing 395000 system calls per second :-) (this is a P-166). > > > > The subject of this thread asks about adding a rate-limit for > > system calls. I don't think that's a good idea, but I would like > > to see some kind of throttling of calls to fork() in particular. > > Why would 100 processes doing > > main(){while(1) getpid();} > > be accounted for any differently than 100 processes doing > > main(){while(1) /* infinite loop in user mode */;} Well, in my short test, while doing while(1) fork(); my mpg123 player basically stopped - a few short cracks and squawks here and there. Login.conf was limiting me to 64 processes, and although I could still type, that's about it. :-) Syscall rate approached 700,000/sec for a short time, then fell back to about 340,000/sec. while(1) getpid(); basically had no effect on my mp3 player, and I was able to run netscape, etc. Still about 380,000 syscalls per second, but context switches per second were about 300, as opposed to 40/sec during the fork() loop. So forking definately seems to be worse in terms of denial of service type attacks.. I'm not qualified to comment on why.. :-) I would assume scheduling that rapidly would be a source of problems. System was 3.0-CURRENT/June-10 on a PPro 200. -Mark > > ? Or am I misunderstanding something. > > -Archie > > ___________________________________________________________________________ > Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com -- ------------------------------------------------------------------------ Mark Mayo mark@vmunix.com RingZero Comp. http://www.vmunix.com/mark ------------------------------------------------------------------------ "The problem is how do you build tools that understand your programs at a deeper semantic level." - James Gosling To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message