>ABSTRACT: > >The Process Table Attack is a [relatively] new kind of denial-of-service >attack that can be waged against numerous network services on a variety of >different UNIX systems. The attack is launched against network services >which fork() or otherwise allocate a new process for each incoming TCP/IP >connection. Although the standard UNIX operating system places limits on >the number of processes that any one user may launch, there are no limits on >the number of processes that the superuser can create other than the hard >limits imposed by the operating system. Since incoming TCP/IP connections >are usually handled by servers that run as root, it is possible to >completely fill a target machine's process table with multiple >instantiations of network servers. Yet another reason to use a better-featured replacement for inetd, such as xinetd (SunSITE:/pub/Linux/system/network/admin), which allows you to specify the maximum number of processes allowed to be started for each daemon (among other features not found in classic inetd). I can't think of any other daemons that spawn indefinite numbers of processes (with the exception of standalone ftpd's). In particular, CGI scripts on web servers should not present a problem here, because in the worst case, you'll almost certainly hit the per-process file descriptor limit before reaching the system limit. (At least for single-process HTTP daemons; can anyone speak for Apache here?) --Andy Church achurchat_private http://achurch.dragonfire.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:15 PDT