From owner-freebsd-current Fri Feb 18 12:31:58 2000 Delivered-To: freebsd-current@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id CC93137BA96; Fri, 18 Feb 2000 12:31:48 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id WAA28751; Fri, 18 Feb 2000 22:30:51 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200002182030.WAA28751@gratis.grondar.za> To: Lyndon Nerenberg Cc: Peter Wemm , current@FreeBSD.ORG, committers@FreeBSD.ORG Subject: Re: Crypto progress! (And a Biiiig TODO list) References: <200002181628.e1IGS9P48266@orthanc.ab.ca> In-Reply-To: <200002181628.e1IGS9P48266@orthanc.ab.ca> ; from Lyndon Nerenberg "Fri, 18 Feb 2000 09:28:09 MST." Date: Fri, 18 Feb 2000 22:30:51 +0200 From: Mark Murray Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG All of the below are representative examples of the lattitude that a sysamin may be granted when setting up her system. There is a DoS of each of them. Pick your own policy. M > >>>>> "Mark" == Mark Murray writes: > > Mark> o A username may only be checked $number times per > Mark> $timeperiod; after that, _all_ answers are silently > Mark> converted to "no". > > Umm, massive DOS hole. > > Mark> o Daemon may only be invoked $number times per $timeperiod; > Mark> refuses to fork after that. > > Another massive DOS hole. > > Mark> o Daemon will delay $timeperiod before returning answer. > > This is the correct way to deal with (perceived) attacks. > > Mark> ... etc. There are possibilities for DoS attacks, but the > Mark> daemon talks only to a Unix Domain Socket, so finding the > Mark> perp is easy. > > Not if the daemon has shut itself off due to load (#1 or #2 above) and you > aren't currently logged in to the box. > > --lyndon -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message