Re: Patch related with Fork Bobmbing Attack

From: Krzysztof Halasa
Date: Wed Jun 13 2007 - 16:25:44 EST


Daniel Hazelton <dhazelton@xxxxxxxxx> writes:

> I think the reasoning here is to alert the administrator(s) to the
> possibility
> that somebody has just tried a fork-bomb. A better test, IMHO, would be to
> check how fast the processes are being spawned and whether a large
> percentage
> share the same parent. (Those two taken together would better spot most
> fork-bombs, including the very simple types that are just a simple one-liner)

Not sure if it's a great idea at all. If the attacker is dumb then the
administrator already has everything he/she needs (and more) to adjust
the luser attitude.
If it's a serious attack then the attacker will evade the tests anyway
(but he/she may not be able to overcome the limits and the admin
still have all required info etc).

If we print such things then perhaps the next patch in queue should
warn us about users trying to access /etc/shadow or issuing some
configuration syscalls?

>From a different point of view it would be alerting sysadmins about
a user who tried to create one more process than he/she was allowed
to. Isn't it crazy?
--
Krzysztof Halasa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/