Date: Mon, 10 Jul 2000 10:59:01 +0200 (CEST) From: Paul Herman <pherman@frenchfries.net> To: core-ix@hushmail.com Cc: freebsd-arch@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Some proposals to FreeBSD kernel Message-ID: <Pine.BSF.4.21.0007101043230.265-100000@bagabeedaboo.security.at12.de> In-Reply-To: <200007100823.BAA07998@mail3.hushmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 xxx -1 core-ix@hushmail.com wrote:
> Some days ago my friend tell me that with simple user rights
> and whit only 1 line of code he could crash my machine. I laught
> but he did it :(.
>
> What he wrote was ' int main(void) {while(1) fork(); }' compiled it
> and run it. Within a second /kernel said "proc: table is full" and
> died.
This DoS is probably as old as you are. :) Setting proper limits on
your system, like "maxproc" and "stacksize" et al. in /etc/login.conf
will clamp down on this.
"Security for a server also means protection against itself."
> So I sit down and wrote a static library that introduse a new fork()
> (nfork()) and _exit() (nexit()) whose only purpose is to lower the
> effect ot fast fork()s by sleeping accordingly to the number of times
> fork() was called.
Your code is always welcome here, :) however most people here will
just tell you what I've just told you.
Perhaps a discussion of something like FORK_RATELIMIT along the lines
of ICMP_BANDLIM is in order? After an adjustable threshold forks
slowly start slowing down, rather than coughing up a "Resource
temporarily unavailable"?
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007101043230.265-100000>