OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: Out of mbuf clusters

Re: Out of mbuf clusters

Kip Macy (kiplyris.com)
Mon, 20 Sep 1999 11:47:54 -0700 (PDT)

Here is where your philosophy diverges from many others -- I and I believe
many others think that a server operating system should at least be robust
out of the box. Neither Linux nor Solaris is vulnerable to running out of
mbufs as a result of malicious code. I don't think FreeBSD should be
either.

This is in no way a rant against FreeBSD, but rather a rant against the
attitude that one needs to know about OS internals to run a lightweight
server. If all of core insisted that Joe User had to know about internals
to use FreeBSD as a server, FreeBSD would be little more than a hobbyist
OS, rather than what it is -- the best OS currently available.

                                        -Kip

On 20 Sep 1999, Dag-Erling Smorgrav wrote:

> "Joao Carlos" <jcarlosbahianet.com.br> writes:
> > I'm running FreeBSD 3.3-STABLE, and compiled a kernel with 64 maxusers. It
> > gives me somethink like 1048 processes. I don't know if it's a bug, or
> > whatever, but i got crazy when i tested a program called CLONE on a IRC
> > Server running i this machine.
> > Before arriving 1024 connections on te IRCD, (NOTE: nothing more like httpd,
> > squid, etc were running), The machine crashed, with the following message:
>
> I'll bet your CLONE thingy wasn't properly written, and doesn't
> actually consume the data sent by the server, causing the server to
> fill up mbufs. Currently, FreeBSD panics when it runs out of mbufs.
>
> 1) use ircd connection classes to prevent clients from opening more
> than a small number of connections, and to limit the size of the
> send queue. If you don't know what that means, don't run an IRC
> server.
>
> 2) increase the number of mbuf clusters. If you don't know how to do
> this, don't run an IRC server.
>
> 3) set up a heavy firewall in front of your server (preferably on
> your border router) which protects your server from SYN floods,
> UDP floods, smurfing fingerprinting, etc. If you don't know how to
> do this, don't run an IRC server.
>
> 4) harden your TCP/IP stack to withstand SYN floods, UDP floods,
> smurfing, fingerprinting, etc. Run a recent 4.0, or 3.3-R with my
> hardening patches, and understand what those patches do and how to
> use them. If you don't know how to do this, don't run an IRC
> server.
>
> 5) lock your machine down tight, including disabling all services
> except ircd and ssh and configuring sshd to only accept
> connections from trusted hosts and require RSA authentication (no
> rhosts, no password authentication). If you don't know how to do
> this, don't run an IRC server.
>
> 6) if you need a flooder, try my joiner.pl. Read the source and
> understand how it works and how to tune it before using it. Know
> that it can (and will) crash your server if you didn't do 1) and
> 2) properly. If you don't know how to do this, don't run an IRC
> server.
>
> DES
> --
> Dag-Erling Smorgrav - desflood.ping.uio.no
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Mon Sep 20 1999 - 13:49:08 CDT