Re: Process table attack (from RISKS Digest)

From: Jan B. Koum (jkbat_private)
Date: Mon Feb 22 1999 - 09:40:17 PST

Next message: Georgi Guninski: "Re: Netscape Communicator window spoofing bug"

Previous message: Alistair Cunningham: "Re: Security hole: "zgv""
Maybe in reply to: Mark Boolootian: "Process table attack (from RISKS Digest)"
Next in thread: Andy Church: "Re: Process table attack (from RISKS Digest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 20, 1999 at 01:42:53PM -0800, Mark Boolootian <boolooat_private> wrote:
> Date: Fri, 19 Feb 1999 16:08:06 -0500
> >From: "Simson L. Garfinkel" <simsongat_private>
> Subject: Process-table attack
>
> Wide-ranging attack works against almost any UNIX systems on the Internet
>
> ABSTRACT:
>
> The Process Table Attack is a [relatively] new kind of denial-of-service
> attack that can be waged against numerous network services on a variety of
> different UNIX systems. The attack is launched against network services
> which fork() or otherwise allocate a new process for each incoming TCP/IP
> connection.  Although the standard UNIX operating system places limits on
> the number of processes that any one user may launch, there are no limits on
> the number of processes that the superuser can create other than the hard
> limits imposed by the operating system. Since incoming TCP/IP connections
> are usually handled by servers that run as root, it is possible to
> completely fill a target machine's process table with multiple
> instantiations of network servers. Properly executed, this attack prevents
> any other command from being executed on the target machine.

	I have not tested this, but I don't think this is true for at
	least FreeBSD. You see, it has what is called login limits and you
	can indeed put limits on root login user. From /etc/login.conf:

#root:\
#       :cputime=infinity:\
#       :datasize=infinity:\
#       :stacksize=infinity:\
#       :memorylocked=infinity:\
#       :memoryuse=infinity:\
#       :filesize=infinity:\
#       :coredumpsize=infinity:\
#       :openfiles=infinity:\
#       :maxproc=infinity:\
#       :memoryuse-cur=32M:\
#       :maxproc-cur=64:\
#       :openfiles-cur=1024:\
#       :priority=0:\
#       :requirehome@:\
#       :umask=022:\
#       :tc=auth-root-defaults:

	As far as I know (and I am sure 2829 peole will correct me if I am not),
	changing infinity to a numeric value should produce a desired result.
	AGAIN: I have not tested this yet for root user - but I know that the
	login limits do work for normal users.

-- Yan

Next message: Georgi Guninski: "Re: Netscape Communicator window spoofing bug"
Previous message: Alistair Cunningham: "Re: Security hole: "zgv""
Maybe in reply to: Mark Boolootian: "Process table attack (from RISKS Digest)"
Next in thread: Andy Church: "Re: Process table attack (from RISKS Digest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:12 PDT