|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: ANNOUNCE: secure identd v0.3
Wietse Venema (wietse
PORCUPINE.ORG)Wed, 16 Sep 1998 20:57:28 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Taral: "Re: ANNOUNCE: secure identd v0.3"
- Previous message: Bay Networks Technical Support: "Re: Annex DoS"
- In reply to: Taral: "Re: ANNOUNCE: secure identd v0.3"
- Next in thread: Kragen: "Re: ANNOUNCE: secure identd v0.3"
rlimits can be used as a safety net, but I prefer that the program
itself remains in control of its resource usage. I just don't find
it very elegant to crash and die on illegal input...
For example, when all data objects have limited size, and when the
number of objects instances is limited, so is the amount of memory
required to hold those objects.
This just changes some programs into special-purpose cache managers.
In the days of 16-bit and smaller computers, real programmers had
to do real work to make their programs actually fit the machine.
Perhaps I am just showing my age.
Wietse
Taral:
> Actually, a secure box should run with RLIMIT_AS (Linux-ism?) set on all
> daemons... I started using it on apache httpd to prevent the header-spam
> DoS, but it seems like a good idea on all processes that shouldn't consume
> much memory.
>
> Taral
>
> > -----Original Message-----
> > Suggested fix: read a fixed-size read buffer from the network. No
> > reasonable ident query needs to be longer than a couple bytes for
> > the two port numbers. When used in the right place, fixed-size
> > buffers are beneficial to security.
> >
> > Wietse
> >
>
>
>
- Next message: Taral: "Re: ANNOUNCE: secure identd v0.3"
- Previous message: Bay Networks Technical Support: "Re: Annex DoS"
- In reply to: Taral: "Re: ANNOUNCE: secure identd v0.3"
- Next in thread: Kragen: "Re: ANNOUNCE: secure identd v0.3"