Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757096AbXFMUZj (ORCPT ); Wed, 13 Jun 2007 16:25:39 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753647AbXFMUZ2 (ORCPT ); Wed, 13 Jun 2007 16:25:28 -0400 Received: from khc.piap.pl ([195.187.100.11]:42937 "EHLO khc.piap.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753664AbXFMUZ1 (ORCPT ); Wed, 13 Jun 2007 16:25:27 -0400 To: Daniel Hazelton Cc: "Simon Arlott" , "Jan Engelhardt" , "Roland Dreier" , "Anand Jahagirdar" , linux-kernel@vger.kernel.org, security@kernel.org, "Andrew Morton" , akpm@digeo.com, "Jens Axboe" , "Jiri Kosina" Subject: Re: Patch related with Fork Bobmbing Attack References: <25ae38200706120949vaeb8e0ascd182ef2f709d0fc@mail.gmail.com> <38425.simon.1181734449@5ec7c279.invalid> <200706131044.42338.dhazelton@enter.net> From: Krzysztof Halasa Date: Wed, 13 Jun 2007 22:25:23 +0200 In-Reply-To: <200706131044.42338.dhazelton@enter.net> (Daniel Hazelton's message of "Wed, 13 Jun 2007 10:44:41 -0400") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1362 Lines: 31 Daniel Hazelton writes: > I think the reasoning here is to alert the administrator(s) to the > possibility > that somebody has just tried a fork-bomb. A better test, IMHO, would be to > check how fast the processes are being spawned and whether a large > percentage > share the same parent. (Those two taken together would better spot most > fork-bombs, including the very simple types that are just a simple one-liner) Not sure if it's a great idea at all. If the attacker is dumb then the administrator already has everything he/she needs (and more) to adjust the luser attitude. If it's a serious attack then the attacker will evade the tests anyway (but he/she may not be able to overcome the limits and the admin still have all required info etc). If we print such things then perhaps the next patch in queue should warn us about users trying to access /etc/shadow or issuing some configuration syscalls? >From a different point of view it would be alerting sysadmins about a user who tried to create one more process than he/she was allowed to. Isn't it crazy? -- Krzysztof Halasa - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/