[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Ddos Prevention thru Throttleing
- Subject: Re: [cobalt-security] Ddos Prevention thru Throttleing
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Oct 2002 13:56:25 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
J> Date: Wed, 16 Oct 2002 13:09:20 +0100
J> From: Jamie
J> In light of the recent DDOS / Buffer overflow exploits that
J> have popped up recently, I have been thinking,
J>
J> Couldn't we just do a system wide CPU% usage limit, on every
J> user...
No.
It's not an issue of restricting CPU activity. What happens in
the classic "remote exploit" is someone sends a carefully-
crafted request that tricks the buggy software into running
arbitrary code.
IIRC, phrack.org has some good tutorials on how buffer exploits
work. Print string vulnerabilities are similar. Race conditions
are a different beast.
J> I have looked into /etc/security/limits.conf, as well as
J> ulimit, but it seems these both work on a time spent, limit,
J> as opposed to a %used limit.
Correct.
J> I want to say, don't let any process by user, httpd,
J> collectively, or singularly, use more than 60% of the system
J> cpu.
Different issue from the above concerns about exploits.
J> Ulimit is of no use as the user doesn't login, and
J> limits.conf, only seems to limit the amount of cpu time one
J> process is allowed, as opposed to doing what I require.
J>
J> I would like to lock down a few users aswell, who run some
J> perl scripts, which have the 'potential' to be used to
J> resource starve the box...
J>
J> Anyone got any thoughts / recommendations on how to
J> effectively, not allow user X to use more then Y% of the cpu,
J> across all their processes?
IMHO, Linux does an okay job arbitrating between processes vying
for CPU. I think BSD is better.
It sounds like you want something along the lines of virtual
machines (a la OS/400) or scheduling classes (a la SysV).
Solaris offers the latter... but I've been told Sun/Cobalt has no
interest in straying from Linux on x86.
IIRC, there is a "virtual machine" distribution of Linux...
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.