[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25ae38200706040749o1eb3b7bbs64a09e6c2e4d7331@mail.gmail.com>
Date: Mon, 4 Jun 2007 07:49:24 -0700
From: "Anand Jahagirdar" <anandjigar@...il.com>
To: "Daniel Hazelton" <dhazelton@...er.net>
Cc: Nix <nix@...eri.org.uk>, "Jens Axboe" <jens.axboe@...cle.com>,
security@...nel.org, linux-kernel@...r.kernel.org,
"Kedar Sovani" <kedar@...amzgroup.com>
Subject: Re: Patch related with Fork Bombing Atack
Hello All
I am forwarding one improved patch related with Fork
Bombing Attack. This patch prints a message (only once) which alerts
administrator/root user about fork bombing attack. I created this
patch to implement my idea of informing administrator about fork
bombing attack on his machine only once.
This patch overcomes all drawbacks of my previous patch related
with fork bombing attack and helps administrator. added comments will
definitely help developers.
Regards
Anand
On 6/3/07, Daniel Hazelton <dhazelton@...er.net> wrote:
> On Sunday 03 June 2007 19:01:21 Nix wrote:
> > On 1 Jun 2007, Jens Axboe told this:
> > > I think Anand is assuming that because syslog may coalesce identical
> > > messages into "repeated foo times" in the messages file, that it's not a
> > > dos. That is of course wrong.
> >
> > Not all syslog daemons do that, anyway. (syslog-ng doesn't, for one.)
>
> That syslog-ng doesn't coalesce repeated messages into a single line doesn't
> make a difference. The printk_ratelimit stuff is supposed to make it very
> hard to DOS a system by flooding syslog, but that doesn't mean its
> impossible.
>
> The point of this discussion was that having a part of the kernel log a
> message about a fork-bomb was a very large whole that could be used to DOS a
> system by flooding the syslog. (In fact, IIRC, the printk_ratelimit (and
> somebody, please correct me if I'm wrong) stuff uses a ring buffer and
> seriously spamming syslog, like the patch that spawned this thread would have
> done, could cause you to lose potentially important messages)
>
> DRH
>
Download attachment "fork.patch" of type "application/octet-stream" (1217 bytes)
Powered by blists - more mailing lists