Re: forkbombing Linux distributions

[Natanael Copa <mlists@tanael.org>]

On Wed, 2005-03-30 at 19:40 +0200, Jacek Łuczak wrote:
> Hi
> 
> I made some tests and almost all Linux distros brings down while freebsd 
> survive!Forkbombing is a big problem but i don't think that something like
> 
> max_threads = mempages / (16 * THREAD_SIZE / PAGE_SIZE);
> 
> is good solution!!!
> How about add max_user_threads to the kernel? It could be tunable via 
> proc filesystem. Limit is set only for users.
> I made a fast:) patch - see below - and test it on 2.6.11, 
> 2.6.11ac4,2.6.12rc1...works great!!!New forks are stoped in 
> copy_process() before dup_task_struct() and EAGAIN is returned. System 
> works without any problems and root can killall -9 forkbomb.
> 

I really liked this approach because:

* it is similar to other *nixes. (freebsd, openbsd)

* it is easily tuneable (/proc or systcl)

* it is stupid simple - small chance that things can go wrong.

* this solves *many* things in comparation to possible problems it
causes.

Only thing that could be a problem that I come to think of is that you
cannot raise the limit through /etc/security/limits.conf or similar. Eg.
you migh want all setuid() services/daemons run with a low limit but you
want give user Bob more processes. (I don't know if this is a realistic
situation though)

The default value could be something like:

max_user_threads = max_threads / 2

or:

max_user_threads = max_threads / 4;

With a lower limit to 20 or something, just like max_threads (in case
you try run Linux on 2MiB RAM)

If a fixed value (like 300, 512, 2000) is used then will probably
systems with low amount of RAM be vulerable to the forkbomb attack.

--
Natanael Copa