>ABSTRACT:
>
>The Process Table Attack is a [relatively] new kind of denial-of-service
>attack that can be waged against numerous network services on a variety of
>different UNIX systems. The attack is launched against network services
>which fork() or otherwise allocate a new process for each incoming TCP/IP
>connection. Although the standard UNIX operating system places limits on
>the number of processes that any one user may launch, there are no limits on
>the number of processes that the superuser can create other than the hard
>limits imposed by the operating system. Since incoming TCP/IP connections
>are usually handled by servers that run as root, it is possible to
>completely fill a target machine's process table with multiple
>instantiations of network servers.
Yet another reason to use a better-featured replacement for inetd,
such as xinetd (SunSITE:/pub/Linux/system/network/admin), which allows you
to specify the maximum number of processes allowed to be started for each
daemon (among other features not found in classic inetd).
I can't think of any other daemons that spawn indefinite numbers of
processes (with the exception of standalone ftpd's). In particular, CGI
scripts on web servers should not present a problem here, because in the
worst case, you'll almost certainly hit the per-process file descriptor
limit before reaching the system limit. (At least for single-process
HTTP daemons; can anyone speak for Apache here?)
--Andy Church
achurchat_private
http://achurch.dragonfire.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:15 PDT