lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <m3d4zz7gb0.fsf@maximus.localdomain>
Date:	Wed, 13 Jun 2007 22:25:23 +0200
From:	Krzysztof Halasa <khc@...waw.pl>
To:	Daniel Hazelton <dhazelton@...er.net>
Cc:	"Simon Arlott" <simon@...e.lp0.eu>,
	"Jan Engelhardt" <jengelh@...putergmbh.de>,
	"Roland Dreier" <rdreier@...co.com>,
	"Anand Jahagirdar" <anandjigar@...il.com>,
	linux-kernel@...r.kernel.org, security@...nel.org,
	"Andrew Morton" <akpm@...ux-foundation.org>, akpm@...eo.com,
	"Jens Axboe" <jens.axboe@...cle.com>,
	"Jiri Kosina" <jikos@...os.cz>
Subject: Re: Patch related with Fork Bobmbing Attack

Daniel Hazelton <dhazelton@...er.net> writes:

> I think the reasoning here is to alert the administrator(s) to the
> possibility 
> that somebody has just tried a fork-bomb. A better test, IMHO, would be to 
> check how fast the processes are being spawned and whether a large
> percentage 
> share the same parent. (Those two taken together would better spot most 
> fork-bombs, including the very simple types that are just a simple one-liner)

Not sure if it's a great idea at all. If the attacker is dumb then the
administrator already has everything he/she needs (and more) to adjust
the luser attitude.
If it's a serious attack then the attacker will evade the tests anyway
(but he/she may not be able to overcome the limits and the admin
still have all required info etc).

If we print such things then perhaps the next patch in queue should
warn us about users trying to access /etc/shadow or issuing some
configuration syscalls?

>From a different point of view it would be alerting sysadmins about
a user who tried to create one more process than he/she was allowed
to. Isn't it crazy?
-- 
Krzysztof Halasa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ