Re: From: Ivan Streetovich, Japan

From: Mike Silbersack (silby@silby.com)
Date: 09/03/02


Date: Tue, 3 Sep 2002 11:52:24 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Alfred Perlstein <bright@mu.org>


On Mon, 2 Sep 2002, Alfred Perlstein wrote:

> * Mike Silbersack <silby@silby.com> [020902 17:06] wrote:
> >
> > This is just another local mbuf exhaustion attack. We should probably put
> > in countermeasures for this one of these days, but it's not all that much
> > of a serious problem. If you have a shell machine you wish to get your
> > access revoked on, then by all means go ahead and use this program.
>
> I think the 'sbsize' ulimit already protects people from this.
>
> I think the problem is that it's not set by default, however I think
> that's somewhat of a good thing as it makes sure we don't bomb out
> when someone tries to bench us.

Doh, I had forgotten about that setting. Sbsize does work decently in
such a situation, but it's not ready to be enabled by default. In
addition to the fact that it would bomb out people doing high volume
benchmarks, there's also the problem that it accounts for receive buffers,
which are empty most of the time.

Bosko and I had thrown around some ideas on how to improve mbuf limiting,
but we haven't had time to work on them yet.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message