Re: Patch related with Fork Bombing Atack

[Daniel Hazelton]

On Sunday 03 June 2007 19:01:21 Nix wrote:
> On 1 Jun 2007, Jens Axboe told this:
> > I think Anand is assuming that because syslog may coalesce identical
> > messages into "repeated foo times" in the messages file, that it's not a
> > dos. That is of course wrong.
>
> Not all syslog daemons do that, anyway. (syslog-ng doesn't, for one.)

That syslog-ng doesn't coalesce repeated messages into a single line doesn't 
make a difference. The printk_ratelimit stuff is supposed to make it very 
hard to DOS a system by flooding syslog, but that doesn't mean its 
impossible. 

The point of this discussion was that having a part of the kernel log a 
message about a fork-bomb was a very large whole that could be used to DOS a 
system by flooding the syslog. (In fact, IIRC, the printk_ratelimit (and 
somebody, please correct me if I'm wrong) stuff uses a ring buffer and 
seriously spamming syslog, like the patch that spawned this thread would have 
done, could cause you to lose potentially important messages)

DRH
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/