On Tue, Dec 15, 2020 at 03:43:38PM -0700, Theo de Raadt wrote: > Jan Klemkow <j.klem...@wemelug.de> wrote: > > > for frequent performance test it would be nice to just start tcpbench > > as a regular service. tcpbench gets an extra user and group with this > > diff and is already pledged to "stdio". Thus, there should be no > > security risk to do this even in hostile environments. > > You're kidding me. If someone starts this in a hostile environment, their > network/host will be flattened.
You are right, someone can use this, to flood a link. But, you can flood someones link with traffic anyway, as botnets do it, or? > I find it difficult to believe there is any environment where someone > wants tcpbench running *all the time*. Sure, its not ideal to run this on public interfaces. I just want to say, its unlikely that someone will take over you system via bugs in this daemon, in my opinion. As it has similar mitigation techniques as our other daemons. I run this daemon in permanent tests setups and on links to different locations. Its easier to use rcctl enable/start then to deal with background sessions on remote machines in shell scripts. Do you think its OK to make a port out of this rc-script for this purpose?
