On Mon, 07 Oct 2002 12:41:03 PDT, Crispin Cowan said: > Anticipating predictable rebuttal :) aside from processor affinity, have > we also closed all of the other trivial ways that a local user/process > can DoS a machine into the ground by consuming gobs of resources? Fork > bombing, consuming as much memory as possible, thrashing all levels of > cache and disk, flooding network connections, etc. I'm not convinced > that we even come close to preventing local DoS. I think fork-bombing is already (mostly) managed by per-user process limits, the others are open research problems. ;) The interesting thing about affinity is that it's a case where a rogue program can "fly under the wire" of all the usual existing tools and *still* cause a DoS, *and* that there's a demonstrable way to 100% close *that* set of holes with a kook. I've never understood the LKML's attitude of "don't even bother because there's other classes of holes" - under THAT logic, the kernel shouldn't even have the current per-user process limit, since there's still other ways to hose the system... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 12:57:01 PDT