> Dear all...
> First of all, really sorry for cross-posting...
> I am running a -CURRENT system (Apr 30th 2001). There is a user in my
> machine running this small program to DoS my xl0 interface. I doubt that
> this program is specifically designed for xl cards though.
> Once the program is started, it starts forking childs I assume. Then after
> sometime, this messages start popping to my screen:
> xl0: no memory for rx lists -- packet dropped
> After going to single user mode, cause I can't kill the offending program
> once it is running in multiuser mode (even kill -9 won't work on my
> then coming back to multiuser mode, I tried to run it and trace what it
> with truss. But, truss didn't seem to output anything at all. Then, I saw
> the program state in top and it said the program is in mbuf state.
> I have searched all mailing lists archieves in
> http://www.freebsd.org/search/search.html#mailinglists but wierdly, there
> are no articles shown when I enter this as a query: "no memory for rx
> Can anyone help me trace what the program does? And how can I prevent the
> program to DoS my network interface? Even when the program is started by
> unprivileged user, it works, it DoS my network interface. Is this a bug?

I don't know exactly what this program does, but by looking at the 'strings'
output, it would appear to do a bunch of setsockopt(), socketpair(),
write()s and fork()s.  I imagine that it's forking like crazy (to grind your
system to a half) and doing some funky socket stuff (to overload the NIC

The reason why this works when run as an underpriviledged user is because a)
any user can fork() and b) any user can create sockets and use the network.

You should be able to kill -9 this program; however, you must make sure that
you kill the parent.  You may find the 'killall' command useful.

There's not much that you can do to prevent the DoS of a NIC -- it could
happen just as easily from the outside as from the inside (although via
different means).  However, you can monitor what your users are doing on the
system, and take appropriate actions if they're abusing them.

Matt Emmerton

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to