[9759] in bugtraq
Re: Process table attack (from RISKS Digest)
daemon@ATHENA.MIT.EDU (Andy Church)
Tue Feb 23 17:17:26 1999
Date: Mon, 22 Feb 1999 13:40:46 EST
Reply-To: Andy Church <achurch@DRAGONFIRE.NET>
From: Andy Church <achurch@DRAGONFIRE.NET>
X-To: booloo@cats.ucsc.edu
To: BUGTRAQ@NETSPACE.ORG
>ABSTRACT:
>
>The Process Table Attack is a [relatively] new kind of denial-of-service
>attack that can be waged against numerous network services on a variety of
>different UNIX systems. The attack is launched against network services
>which fork() or otherwise allocate a new process for each incoming TCP/IP
>connection. Although the standard UNIX operating system places limits on
>the number of processes that any one user may launch, there are no limits on
>the number of processes that the superuser can create other than the hard
>limits imposed by the operating system. Since incoming TCP/IP connections
>are usually handled by servers that run as root, it is possible to
>completely fill a target machine's process table with multiple
>instantiations of network servers.
Yet another reason to use a better-featured replacement for inetd,
such as xinetd (SunSITE:/pub/Linux/system/network/admin), which allows you
to specify the maximum number of processes allowed to be started for each
daemon (among other features not found in classic inetd).
I can't think of any other daemons that spawn indefinite numbers of
processes (with the exception of standalone ftpd's). In particular, CGI
scripts on web servers should not present a problem here, because in the
worst case, you'll almost certainly hit the per-process file descriptor
limit before reaching the system limit. (At least for single-process
HTTP daemons; can anyone speak for Apache here?)
--Andy Church
achurch@dragonfire.net
http://achurch.dragonfire.net/
