[H-GEN] Denial of Service

Martin Pool mbp at meesha.humbug.org.au
Tue May 26 10:05:03 EDT 1998


>A few days ago, my linux box was subject to a simple, yet horribly
>effective denial of service.  I've found the perpatrator---it was someone
>I trusted, someone I respect...

Did you authorize the access?  No?  That's five to ten years for you, my
son.  Officer Brockway...

>So now, I'm thinking about process limits, or any other way of stopping
>users from taking all the ram or cpu cycles.  Filesystem quotas are
>being introduced once I get news sorted out[3], but what sort of settings
>would the more experienced humbuggers recommend using?[4]

Bear in mind that disk quotas cost you I/O every time you write a file.
News is a good example: much better that it be on a separate partition 
which will fill up then stop than that it have to update a quota table
every time you write a file.

ulimit -c 0 can be handy if you're never going to look at the core file:
core files are your friends, but TeX has a feature that dumps core
whenever you SIGINT it, which I tend to do fairly often.  Undoubtedly
this means I am not enlightened, but turning off core files allows me
to continue wallowing.

Programs I am afraid might run away can have RSS or CPU
time limits.  One example that springs to mind is that it's often 
good to limit an httpd this way: when it uses 90% of the physical memory
of the machine it's better that the httpd should crash than that it
drag the entire machine down.  (Depending on the situation, of course.)

No, you're not allowed to put limits on emacs.

>[1] : $ sort /dev/zero # [2]

If you're playing silly (hum)buggers, then a few ulimits can be handy.

>| ``This is the sort of thing up with which I |
>|   will not put.''              -- Churchill |

'Why did you bring that book I didn't want to be read to out of about
down under up for?'

--
Martin


----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe



More information about the General mailing list