Re: [Vserver] Denial of service issue
On Wed, Jun 14, 2006 at 11:45:42AM +0300, Nikolay Kichukov wrote: > Hi all, > I was follwoing the thread and if possible I would like someone to > elaborate on a few more points. > > Which is the version of the utils in developemnt that can resolve that > matter if dentry limits is applied? When was this fix applied? it's no fix, it is an additional limit, the typical linux system (mainline) is still open to such attacks which can be executed by an arbitrary user ... the feature was added shortly after vs2.1.1-rc18, so it is in recent devel kernels, the tools do not need to be modified to allow to set this limit > How does the dentry limit work very similar to the other limits, the dentries are accounted and compared to a hard limit, which, when hit, will return an error ... > and how is it configured on the host side? again, very similar to the other limits ... > As herbert said "(e.g. three strikes and you're out)" how to > configure that for example? this one was referring to some 'hosting' policy, and in this case it means something like: if you 'accidentially' hog the system with something, you'll get a warning from the hoster ... if you 'accidentially' do it again, you'll get kicked ... HTH, Herbert > Thanks and regards, > -Nikolay Kichukov > > On Wed, 2006-06-14 at 01:10 +0200, Herbert Poetzl wrote: > > On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote: > > > I was just reading an article on kernel trap that raised some issues about > > > linux-vservers: http://kerneltrap.org/node/6492 . > > > > > > In particular, the following denial of service attack from within a > > > vserver seemed worrying because of it's simplicity. > > > > > > > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside > > > > Linux-VServer VPS and see what happens. > > > > > > Is there work being done to prevent such DoS attacks? I have to admit > > > that I haven't tested this yet and it might just be FUD, but I thought > > > that I might as well ask. > > > > dentry limits in devel prevent this specific DoS > > attack, but IMHO there will always be some way to > > 'hurt' a system which is based on resource sharing, > > so the best approach is to apply some policy there > > (e.g. three strikes and you're out) > > > > best, > > Herbert > > > > > Russell > > > > > > ___ > > > Vserver mailing list > > > Vserver@list.linux-vserver.org > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > ___ > > Vserver mailing list > > Vserver@list.linux-vserver.org > > http://list.linux-vserver.org/mailman/listinfo/vserver > -- > ?? ??? , ??? ?. > ?? ?? ??? ?, ?? ?? ??? ... > -? ? > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Hi all, I was follwoing the thread and if possible I would like someone to elaborate on a few more points. Which is the version of the utils in developemnt that can resolve that matter if dentry limits is applied? When was this fix applied? How does the dentry limit work and how is it configured on the host side? As herbert said "(e.g. three strikes and you're out)" how to configure that for example? Thanks and regards, -Nikolay Kichukov On Wed, 2006-06-14 at 01:10 +0200, Herbert Poetzl wrote: > On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote: > > I was just reading an article on kernel trap that raised some issues about > > linux-vservers: http://kerneltrap.org/node/6492 . > > > > In particular, the following denial of service attack from within a > > vserver seemed worrying because of it's simplicity. > > > > > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside > > > Linux-VServer VPS and see what happens. > > > > Is there work being done to prevent such DoS attacks? I have to admit > > that I haven't tested this yet and it might just be FUD, but I thought > > that I might as well ask. > > dentry limits in devel prevent this specific DoS > attack, but IMHO there will always be some way to > 'hurt' a system which is based on resource sharing, > so the best approach is to apply some policy there > (e.g. three strikes and you're out) > > best, > Herbert > > > Russell > > > > ___ > > Vserver mailing list > > Vserver@list.linux-vserver.org > > http://list.linux-vserver.org/mailman/listinfo/vserver > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Thanks for all of your replies. I posted a reply on kerneltrap in case other people are interested in what is happening with this issue. Russell ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote: > I was just reading an article on kernel trap that raised some issues about > linux-vservers: http://kerneltrap.org/node/6492 . > > In particular, the following denial of service attack from within a > vserver seemed worrying because of it's simplicity. > > > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside > > Linux-VServer VPS and see what happens. > > Is there work being done to prevent such DoS attacks? I have to admit > that I haven't tested this yet and it might just be FUD, but I thought > that I might as well ask. dentry limits in devel prevent this specific DoS attack, but IMHO there will always be some way to 'hurt' a system which is based on resource sharing, so the best approach is to apply some policy there (e.g. three strikes and you're out) best, Herbert > Russell > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
On Tuesday 13 June 2006 11:26, Guenther Fuchs wrote: >This is not "only" a vserver DoS attack as far as I understood, this >is a general Linux issue I guess. Yup, it is also a Mainline issue. -- Christian Heim <[EMAIL PROTECTED]> Gentoo Linux Developer - vserver/openvz pgpyRmkAesWEA.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Hi there, on Tuesday, June 13, 2006 at 1:16:48 PM there was posted: RK> Is there work being done to prevent such DoS attacks? Yes, on his "linuxtage" task Herbert mentioned this already beeing fixed (minimum in development release) through "directory" limits to be set on guest configurations (Herbert for sure will rely on this as soon as he reads it). This is not "only" a vserver DoS attack as far as I understood, this is a general Linux issue I guess. RK> I have to admit that I haven't tested this yet and it might just RK> be FUD, but I thought that I might as well ask. Unfortunately not, but as it is "just" a DoS thing and easy to find the source, most users wouldn't issue it still. Anyhow, it is a risk - and it (minimum in the near future) will / can be solved. That's the good news 8-) -- regards 'n greez, Guenther Fuchs (aka "muh" and "powerfox") ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Denial of service issue
I was just reading an article on kernel trap that raised some issues about linux-vservers: http://kerneltrap.org/node/6492 . In particular, the following denial of service attack from within a vserver seemed worrying because of it's simplicity. > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside > Linux-VServer VPS and see what happens. Is there work being done to prevent such DoS attacks? I have to admit that I haven't tested this yet and it might just be FUD, but I thought that I might as well ask. Russell ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver