fork bomb attack

[Thomas Hille]

Am Samstag, den 19.03.2005, 12:37 +0000 schrieb Rui Miguel Seabra:
> On Fri, 2005-03-18 at 21:23 -0700, Tyler Larson wrote:
> > Fork bombs have always been of little concern to admins. They do 
> > relatively little damage and are completely traceable. The perpetrator 
> > does little more than land himself in a lot of hot water. In most cases, 
> > the threat of disciplinary action is enough protection--it's not an 
> > attack that can be launched anonymously.
> 
> They are definitely not of little concern. A fork bomb on the DNS server
> launched through some other bug would cause some interesting harm.

Sorry, but an admin that allows user to log into a dns server is either
stupid or ignorant. And when somebody would be able to log into it via a
bug, you should first fix that bug since there are other more efficient
ways to "get rid" of the dns server. (like overloading the network
interface with traffic)


> > In the extremely rare case where fork bomb protection is a big enough 
> > concern to warrant reducing the process limits, the administrator can 
> > impose whatever ulimit he wants. However, this is the exception rather 
> > than the rule.
> 
> Yes. But I don't envisage an user of fedora with 16k processes, do you?
> 
> I agree that the limit is insanely high.

16k is high, but definitely not insanely. On a smp webserver the
"apache" user has no problem starting 1k to 2k processes. And having
read a recent review on one of Germany's it-magazine about Delta's new
8-way Opteron with 64GB main memory and up to 4 gigabit network-
connections I don't think 16k processes is impossible. - It simply
depends on what the machine does and what resources the machine has.
(BTW the 8-way machine comes with linux preloaded)

-Thomas