On Mon, 10 Jan 2000, Alexandre Hautequest wrote:
> description:
> Fork Bomb Defuser is an easily loadable kernel module for Linux which
> detects, logs, and disables "fork bombs". It allows you to configure
> max_forks_per_second and max_tasks_per_user parameters at module load
> time. Any possible fork bomb that attempts to spawn a huge number of
> processes simultaneously is detected in real time, and the fork bomb is
> disabled.
Cool. Now forkbomb authors have to put timeouts into their
code and wait with detonating the for(;;) loops until they've
reached their max_tasks_per_user limit...
Or rather, this is a clever way to mask the problem. Some
things you probably want on a shell server with (lots of)
untrusted users are:
- fair scheduling (first allocate per user, then divide that
cpu time into what the processes want)
- a good beancounting system to avoid out-of-memory DoSes
- good logging to kick evil kiddiez and make sure they don't
work together to take the system down anyway
I believe that options and patches for the first and third
option already exist, the second will be worked on in the
future because several people have expressed their interest
in it.
cheers,
Rik
-- The Internet is not a network of computers. It is a network of people. That is its real strength.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:18 EST