lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25ae38200706040749o1eb3b7bbs64a09e6c2e4d7331@mail.gmail.com>
Date:	Mon, 4 Jun 2007 07:49:24 -0700
From:	"Anand Jahagirdar" <anandjigar@...il.com>
To:	"Daniel Hazelton" <dhazelton@...er.net>
Cc:	Nix <nix@...eri.org.uk>, "Jens Axboe" <jens.axboe@...cle.com>,
	security@...nel.org, linux-kernel@...r.kernel.org,
	"Kedar Sovani" <kedar@...amzgroup.com>
Subject: Re: Patch related with Fork Bombing Atack

Hello All
            I am forwarding one improved patch related with Fork
Bombing Attack. This patch prints a message (only once) which alerts
administrator/root user about fork bombing attack. I created this
patch to implement my idea of informing administrator about fork
bombing attack on his machine only once.
    This patch overcomes all drawbacks of my previous patch related
with fork bombing attack and helps administrator. added comments will
definitely help developers.

Regards
Anand


On 6/3/07, Daniel Hazelton <dhazelton@...er.net> wrote:
> On Sunday 03 June 2007 19:01:21 Nix wrote:
> > On 1 Jun 2007, Jens Axboe told this:
> > > I think Anand is assuming that because syslog may coalesce identical
> > > messages into "repeated foo times" in the messages file, that it's not a
> > > dos. That is of course wrong.
> >
> > Not all syslog daemons do that, anyway. (syslog-ng doesn't, for one.)
>
> That syslog-ng doesn't coalesce repeated messages into a single line doesn't
> make a difference. The printk_ratelimit stuff is supposed to make it very
> hard to DOS a system by flooding syslog, but that doesn't mean its
> impossible.
>
> The point of this discussion was that having a part of the kernel log a
> message about a fork-bomb was a very large whole that could be used to DOS a
> system by flooding the syslog. (In fact, IIRC, the printk_ratelimit (and
> somebody, please correct me if I'm wrong) stuff uses a ring buffer and
> seriously spamming syslog, like the patch that spawned this thread would have
> done, could cause you to lose potentially important messages)
>
> DRH
>

Download attachment "fork.patch" of type "application/octet-stream" (1217 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ