Bugtraq mailing list archives
Re: Process table attack (from RISKS Digest)
From: achurch () DRAGONFIRE NET (Andy Church)
Date: Mon, 22 Feb 1999 13:40:46 EST
ABSTRACT: The Process Table Attack is a [relatively] new kind of denial-of-service attack that can be waged against numerous network services on a variety of different UNIX systems. The attack is launched against network services which fork() or otherwise allocate a new process for each incoming TCP/IP connection. Although the standard UNIX operating system places limits on the number of processes that any one user may launch, there are no limits on the number of processes that the superuser can create other than the hard limits imposed by the operating system. Since incoming TCP/IP connections are usually handled by servers that run as root, it is possible to completely fill a target machine's process table with multiple instantiations of network servers.
Yet another reason to use a better-featured replacement for inetd, such as xinetd (SunSITE:/pub/Linux/system/network/admin), which allows you to specify the maximum number of processes allowed to be started for each daemon (among other features not found in classic inetd). I can't think of any other daemons that spawn indefinite numbers of processes (with the exception of standalone ftpd's). In particular, CGI scripts on web servers should not present a problem here, because in the worst case, you'll almost certainly hit the per-process file descriptor limit before reaching the system limit. (At least for single-process HTTP daemons; can anyone speak for Apache here?) --Andy Church achurch () dragonfire net http://achurch.dragonfire.net/
Current thread:
- Re: Process table attack (from RISKS Digest) Andy Church (Feb 22)