Bugtraq mailing list archives
Re: Process table attack (from RISKS Digest)
From: jkb () BEST COM (Jan B. Koum)
Date: Mon, 22 Feb 1999 09:40:17 -0800
On Sat, Feb 20, 1999 at 01:42:53PM -0800, Mark Boolootian <booloo () cats ucsc edu> wrote:
Date: Fri, 19 Feb 1999 16:08:06 -0500From: "Simson L. Garfinkel" <simsong () vineyard net>Subject: Process-table attack Wide-ranging attack works against almost any UNIX systems on the Internet ABSTRACT: The Process Table Attack is a [relatively] new kind of denial-of-service attack that can be waged against numerous network services on a variety of different UNIX systems. The attack is launched against network services which fork() or otherwise allocate a new process for each incoming TCP/IP connection. Although the standard UNIX operating system places limits on the number of processes that any one user may launch, there are no limits on the number of processes that the superuser can create other than the hard limits imposed by the operating system. Since incoming TCP/IP connections are usually handled by servers that run as root, it is possible to completely fill a target machine's process table with multiple instantiations of network servers. Properly executed, this attack prevents any other command from being executed on the target machine.
I have not tested this, but I don't think this is true for at least FreeBSD. You see, it has what is called login limits and you can indeed put limits on root login user. From /etc/login.conf: #root:\ #:cputime=infinity:\ #:datasize=infinity:\ #:stacksize=infinity:\ #:memorylocked=infinity:\ #:memoryuse=infinity:\ #:filesize=infinity:\ #:coredumpsize=infinity:\ #:openfiles=infinity:\ #:maxproc=infinity:\ #:memoryuse-cur=32M:\ #:maxproc-cur=64:\ #:openfiles-cur=1024:\ #:priority=0:\ #:requirehome@:\ #:umask=022:\ #:tc=auth-root-defaults: As far as I know (and I am sure 2829 peole will correct me if I am not), changing infinity to a numeric value should produce a desired result. AGAIN: I have not tested this yet for root user - but I know that the login limits do work for normal users. -- Yan
Current thread:
- Re: Pro/wuFTPD DoS Ultor (Feb 13)
- <Possible follow-ups>
- Re: Pro/wuFTPD DoS ga (Feb 15)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 17)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)