Re: [Vserver] Denial of service issue
On Wed, Jun 14, 2006 at 11:45:42AM +0300, Nikolay Kichukov wrote:
> Hi all,
> I was follwoing the thread and if possible I would like someone to
> elaborate on a few more points.
>
> Which is the version of the utils in developemnt that can resolve that
> matter if dentry limits is applied? When was this fix applied?
it's no fix, it is an additional limit, the typical
linux system (mainline) is still open to such attacks
which can be executed by an arbitrary user ...
the feature was added shortly after vs2.1.1-rc18, so
it is in recent devel kernels, the tools do not need
to be modified to allow to set this limit
> How does the dentry limit work
very similar to the other limits, the dentries are
accounted and compared to a hard limit, which, when
hit, will return an error ...
> and how is it configured on the host side?
again, very similar to the other limits ...
> As herbert said "(e.g. three strikes and you're out)" how to
> configure that for example?
this one was referring to some 'hosting' policy,
and in this case it means something like:
if you 'accidentially' hog the system with something,
you'll get a warning from the hoster ...
if you 'accidentially' do it again, you'll get
kicked ...
HTH,
Herbert
> Thanks and regards,
> -Nikolay Kichukov
>
> On Wed, 2006-06-14 at 01:10 +0200, Herbert Poetzl wrote:
> > On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote:
> > > I was just reading an article on kernel trap that raised some issues about
> > > linux-vservers: http://kerneltrap.org/node/6492 .
> > >
> > > In particular, the following denial of service attack from within a
> > > vserver seemed worrying because of it's simplicity.
> > >
> > > > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside
> > > > Linux-VServer VPS and see what happens.
> > >
> > > Is there work being done to prevent such DoS attacks? I have to admit
> > > that I haven't tested this yet and it might just be FUD, but I thought
> > > that I might as well ask.
> >
> > dentry limits in devel prevent this specific DoS
> > attack, but IMHO there will always be some way to
> > 'hurt' a system which is based on resource sharing,
> > so the best approach is to apply some policy there
> > (e.g. three strikes and you're out)
> >
> > best,
> > Herbert
> >
> > > Russell
> > >
> > > ___
> > > Vserver mailing list
> > > Vserver@list.linux-vserver.org
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > ___
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> --
> ?? ??? , ??? ?.
> ?? ?? ??? ?, ?? ?? ??? ...
> -? ?
>
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Hi all,
I was follwoing the thread and if possible I would like someone to
elaborate on a few more points.
Which is the version of the utils in developemnt that can resolve that
matter if dentry limits is applied? When was this fix applied?
How does the dentry limit work and how is it configured on the host
side? As herbert said "(e.g. three strikes and you're out)" how to
configure that for example?
Thanks and regards,
-Nikolay Kichukov
On Wed, 2006-06-14 at 01:10 +0200, Herbert Poetzl wrote:
> On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote:
> > I was just reading an article on kernel trap that raised some issues about
> > linux-vservers: http://kerneltrap.org/node/6492 .
> >
> > In particular, the following denial of service attack from within a
> > vserver seemed worrying because of it's simplicity.
> >
> > > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside
> > > Linux-VServer VPS and see what happens.
> >
> > Is there work being done to prevent such DoS attacks? I have to admit
> > that I haven't tested this yet and it might just be FUD, but I thought
> > that I might as well ask.
>
> dentry limits in devel prevent this specific DoS
> attack, but IMHO there will always be some way to
> 'hurt' a system which is based on resource sharing,
> so the best approach is to apply some policy there
> (e.g. three strikes and you're out)
>
> best,
> Herbert
>
> > Russell
> >
> > ___
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
--
Когато сме щастливи, сме добри.
Но когато сме добри, не винаги сме щастливи...
-Оскар Уайлд
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Thanks for all of your replies. I posted a reply on kerneltrap in case other people are interested in what is happening with this issue. Russell ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
On Tue, Jun 13, 2006 at 09:16:48PM +1000, Russell Kliese wrote:
> I was just reading an article on kernel trap that raised some issues about
> linux-vservers: http://kerneltrap.org/node/6492 .
>
> In particular, the following denial of service attack from within a
> vserver seemed worrying because of it's simplicity.
>
> > run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside
> > Linux-VServer VPS and see what happens.
>
> Is there work being done to prevent such DoS attacks? I have to admit
> that I haven't tested this yet and it might just be FUD, but I thought
> that I might as well ask.
dentry limits in devel prevent this specific DoS
attack, but IMHO there will always be some way to
'hurt' a system which is based on resource sharing,
so the best approach is to apply some policy there
(e.g. three strikes and you're out)
best,
Herbert
> Russell
>
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
On Tuesday 13 June 2006 11:26, Guenther Fuchs wrote: >This is not "only" a vserver DoS attack as far as I understood, this >is a general Linux issue I guess. Yup, it is also a Mainline issue. -- Christian Heim <[EMAIL PROTECTED]> Gentoo Linux Developer - vserver/openvz pgpyRmkAesWEA.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Denial of service issue
Hi there, on Tuesday, June 13, 2006 at 1:16:48 PM there was posted: RK> Is there work being done to prevent such DoS attacks? Yes, on his "linuxtage" task Herbert mentioned this already beeing fixed (minimum in development release) through "directory" limits to be set on guest configurations (Herbert for sure will rely on this as soon as he reads it). This is not "only" a vserver DoS attack as far as I understood, this is a general Linux issue I guess. RK> I have to admit that I haven't tested this yet and it might just RK> be FUD, but I thought that I might as well ask. Unfortunately not, but as it is "just" a DoS thing and easy to find the source, most users wouldn't issue it still. Anyhow, it is a risk - and it (minimum in the near future) will / can be solved. That's the good news 8-) -- regards 'n greez, Guenther Fuchs (aka "muh" and "powerfox") ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Denial of service issue
I was just reading an article on kernel trap that raised some issues about
linux-vservers: http://kerneltrap.org/node/6492 .
In particular, the following denial of service attack from within a
vserver seemed worrying because of it's simplicity.
> run a program doing `mkdir("aaa"); chdir("aaa");' in a loop inside
> Linux-VServer VPS and see what happens.
Is there work being done to prevent such DoS attacks? I have to admit that
I haven't tested this yet and it might just be FUD, but I thought that I
might as well ask.
Russell
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
