| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 Mar 2016 21:11:09 +0000 From: David Howells <dhowells@...hat.com> To: David Miller <davem@...emloft.net> Cc: dhowells@...hat.com, linux-afs@...ts.infradead.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 01/11] rxrpc: Add a common object cache David Miller <davem@...emloft.net> wrote: > > One could argue, I suppose, that things should've been arranged that the > > RxRPC client would manage the lifetime of each connection it sets up, > > rather than both ends letting it lapse by mutual loss of interest. But > > you *still* have to have a timeout, lest the client die and not close its > > connection. > > But the point is if there is no limitation on the number of these connections > that can be setup.... wait for troubles. > > And if you try to put in some kind of limit to handle this, it's then > easy for the bad guy to block out other legitimate users. I can put in a limit per peer, where a 'peer' is either a particular remote UDP port or particulat remote host. TCP has this by virtue of having a limited number of ports available per IP address. But if I have 10 IP addresses available, I can attempt to set up half a million TCP connections to a server simultaneously. If I have access to a box that has an NFS mount on it, I can potentially open sufficient TCP ports that the NFS mount can't make a connection if it's not allowed to use privileged ports. Am I right in thinking that you have decided that it can't be done and shouldn't be done? David
Powered by blists - more mailing lists