"Jason Brooke" <[EMAIL PROTECTED]> writes:
> That's all well and good though, until your comment about tcpserver not
> preventing this DOS. If this is true then I have to withdraw.
>
> I run qmail under tcpserver on variety of slackware 7.1 installs and and a
> couple of slackware 4.0 installs, and none of these are affected by this DOS.
> There may be some limit in place on slackware 4.0/7.1 that I don't know
> about - but I haven't put any in myself. I've also seen other services spiral
> up the loadavg at an alarming rate under certain conditions until the box
> practically grinds to a halt, so this limit must be very selective if it
> exists :)
The DoS attack is based on growing the memory used by an instance of
qmail-smtpd, so that it fills up the available swap space. It is
softlimit which prevents that growth, not tcpserver. softlimit can be
used with the -m option to set a limit on the amount of memory space
which the child process may obtain. For more information, see
http://cr.yp.to/daemontools/softlimit.html
http://cr.yp.to/docs/resources.html
Also, note the use of softlimit in Life With Qmail in the
/var/qmail/supervise/qmail-smtpd/run file. Ask yourself why it is
there.
Note that the load average is not affected by this DoS, except
indirectly as programs get swapped out.
I don't know how you were running qmail under tcpserver, so I don't
know whether there was a memory limit. I also don't know what limits
Slackware may apply normally. A process started at boot time by root
typically does not have a memory limit on most Unix systems. If you
use bash, you can run the builtin `ulimit -a' to see what memory
limits are applied to your process.
As I said in my original post, when the Linux kernel runs out of swap
space, it will randomly kill a user process. It is reasonably likely
that it will kill the large qmail-smtpd, since on an otherwise stable
system that will typically be the process requesting more memory. In
that case, you aren't going to see a serious DoS. You will just see a
qmail-smtpd get larger and larger and larger until it suddenly dies.
While it is large, your system may slow down due to increased
swapping. If you are unfortunate enough to have the kernel kill some
other process, you may see more serious consequences.
Ian
