On 10/9/18 0810 UTC, Daniel P. Berrangé wrote:
AFAICT, the TCP receive buffer size is about 200 KB per socket. With the current nfile=4096, it looks like a single process can already consume 200 KB * 4096 = ~800 MB of RAM just by using TCP sockets. IOW, does the nfiles limit make a real world difference to avoiding memory DOS, if you can just pick a different DOS attack vector instead?
Yes, it does. The attacker might not think of TCP. Also, the usual successful TCP connection requires cooperation from a "far" endpoint, which can be cumbersome to arrange. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
