Am Samstag, den 19.03.2005, 12:37 +0000 schrieb Rui Miguel Seabra: > On Fri, 2005-03-18 at 21:23 -0700, Tyler Larson wrote: > > Fork bombs have always been of little concern to admins. They do > > relatively little damage and are completely traceable. The perpetrator > > does little more than land himself in a lot of hot water. In most cases, > > the threat of disciplinary action is enough protection--it's not an > > attack that can be launched anonymously. > > They are definitely not of little concern. A fork bomb on the DNS server > launched through some other bug would cause some interesting harm. Sorry, but an admin that allows user to log into a dns server is either stupid or ignorant. And when somebody would be able to log into it via a bug, you should first fix that bug since there are other more efficient ways to "get rid" of the dns server. (like overloading the network interface with traffic) > > In the extremely rare case where fork bomb protection is a big enough > > concern to warrant reducing the process limits, the administrator can > > impose whatever ulimit he wants. However, this is the exception rather > > than the rule. > > Yes. But I don't envisage an user of fedora with 16k processes, do you? > > I agree that the limit is insanely high. 16k is high, but definitely not insanely. On a smp webserver the "apache" user has no problem starting 1k to 2k processes. And having read a recent review on one of Germany's it-magazine about Delta's new 8-way Opteron with 64GB main memory and up to 4 gigabit network- connections I don't think 16k processes is impossible. - It simply depends on what the machine does and what resources the machine has. (BTW the 8-way machine comes with linux preloaded) -Thomas
