Date: Sun, 3 Feb 2002 21:41:14 +0000 (GMT) From: Mike Silbersack <silby@silby.com> To: Robert Watson <rwatson@freebsd.org> Cc: Mike Barcroft <mike@freebsd.org>, Mike Makonnen <mike_makonnen@yahoo.com>, Gaspar Chilingarov <nm@web.am>, <freebsd-hackers@freebsd.org> Subject: Re: fork rate limit Message-ID: <20020203213819.C13287-100000@patrocles.silby.com> In-Reply-To: <Pine.NEB.3.96L.1020203221240.34548B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 3 Feb 2002, Robert Watson wrote: > BTW, many sites find the per-uid process limits helpful in preventing fork > bombs from crippling the site. The default configuration may not be > sufficiently agressive, and while it's not the same as a rate limit, it > does have the effect of topping them. If there is a strong desire for > rate-limiting, slotting it into the current resource handling code > shouldn't be hard at all -- the state can be stored in uidinfo. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services Yeah, I threw in the maxprocperuid auto-capping thinking that it would help reduce the nastiness of forkbombs. However, as PR kern/23740 points out, one of the problems we're encountering now is that the proc structures are large enough that all kernel memory can be exhausted. We're going to have to cap maxproc so that proc structures can't use more than 50% of system memory in order to make sure that forkbombs can't seriously hurt a box. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020203213819.C13287-100000>