On Fri, Oct 01, 1999, Bruce Guenter <[EMAIL PROTECTED]> wrote:
> On Fri, Oct 01, 1999 at 11:09:10AM -0700, Johannes Erdfelt wrote:
> > Both work for me fine. I dunno what people's big gripes against inetd
> > are. It works damn well for almost every service that doesn't have high
> > loads. In 99% of people's cases who use mail, then won't get more than
> > 40 hits a second, and if they do, increase it. I run it with a 10000 hit
> > maximum on a relatively busy mail server (close to 100,000 incoming messages
> > a day)
>
> And what happens when somebody tries to actively attack your system?
> With these limits, I expect that a remote user could make your system
> run out of FDs in a few minutes, not to mention memory. With a limit of
> 10000, I could probably open up a thousand or so connections a minute
> without triggering any of inetd's limits, and leave them open.
>
> inetd protects against one thing: rapid attacks. It does not offer any
> protection against total amount of resources used (in the form of number
> of connections). I have never run into a situation where rate
> protection is needed, and have only rarely heard of such situations.
> However, resource starvation is common.
I'm not personally worried about it. There are so many effective Denial
of Service attacks on the Internet (smurfs, etc) that stopping one
easily traceable one does me little good.
Also, the fact qmail's binaries are so light weight, it would take ALOT
of connections to effectively do that. They'd probably run out of port
space on the IP they're attacking from before it really started to
seriously affect my machine.
But yes, octopus like attacks can be a problem, but for the majority of
users, it's not a problem. The wasted memory by another daemon running
is probably more a worry than a DoS attack on a very low profile low
traffic mail server.
JE
