Re: Process table attack (from RISKS Digest)

[achurch () DRAGONFIRE NET (Andy Church)]

> ABSTRACT:
>
> The Process Table Attack is a [relatively] new kind of denial-of-service
> attack that can be waged against numerous network services on a variety of
> different UNIX systems. The attack is launched against network services
> which fork() or otherwise allocate a new process for each incoming TCP/IP
> connection.  Although the standard UNIX operating system places limits on
> the number of processes that any one user may launch, there are no limits on
> the number of processes that the superuser can create other than the hard
> limits imposed by the operating system. Since incoming TCP/IP connections
> are usually handled by servers that run as root, it is possible to
> completely fill a target machine's process table with multiple
> instantiations of network servers.

     Yet another reason to use a better-featured replacement for inetd,
such as xinetd (SunSITE:/pub/Linux/system/network/admin), which allows you
to specify the maximum number of processes allowed to be started for each
daemon (among other features not found in classic inetd).

     I can't think of any other daemons that spawn indefinite numbers of
processes (with the exception of standalone ftpd's).  In particular, CGI
scripts on web servers should not present a problem here, because in the
worst case, you'll almost certainly hit the per-process file descriptor
limit before reaching the system limit.  (At least for single-process
HTTP daemons; can anyone speak for Apache here?)

  --Andy Church
    achurch () dragonfire net
    http://achurch.dragonfire.net/