From owner-freebsd-hackers  Mon Jul 10  1:59:23 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6D3F037C51C; Mon, 10 Jul 2000 01:59:15 -0700 (PDT)
	(envelope-from pherman@frenchfries.net)
Received: from bagabeedaboo.security.at12.de (dial-195-14-254-153.netcologne.de [195.14.254.153])
	by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id KAA29148;
	Mon, 10 Jul 2000 10:59:09 +0200 (MET DST)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
	by bagabeedaboo.security.at12.de (8.10.2/8.10.2) with ESMTP id e6A8x2o53348;
	Mon, 10 Jul 2000 10:59:02 +0200 (CEST)
Date: Mon, 10 Jul 2000 10:59:01 +0200 (CEST)
From: Paul Herman <pherman@frenchfries.net>
To: core-ix@hushmail.com
Cc: freebsd-arch@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG
Subject: Re: Some proposals to FreeBSD kernel
In-Reply-To: <200007100823.BAA07998@mail3.hushmail.com>
Message-ID: <Pine.BSF.4.21.0007101043230.265-100000@bagabeedaboo.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 10 xxx -1 core-ix@hushmail.com wrote:

> Some days ago my friend tell me that with simple user rights
> and whit only 1 line of code he could crash my machine. I laught
> but he did it :(.
> 
> What he wrote was ' int main(void) {while(1) fork(); }'  compiled it
> and run it. Within a second /kernel said "proc: table is full" and 
> died.

This DoS is probably as old as you are.  :)  Setting proper limits on
your system, like "maxproc" and "stacksize" et al. in /etc/login.conf
will clamp down on this.

"Security for a server also means protection against itself."

> So I sit down and wrote a static library that introduse a new fork()
> (nfork()) and _exit() (nexit()) whose only purpose is to lower the 
> effect ot fast fork()s by sleeping accordingly to the number of times
> fork() was called.

Your code is always welcome here,  :)  however most people here will
just tell you what I've just told you.

Perhaps a discussion of something like FORK_RATELIMIT along the lines
of ICMP_BANDLIM is in order?  After an adjustable threshold forks
slowly start slowing down, rather than coughing up a "Resource
temporarily unavailable"?

-Paul.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message