fork bombs ... how to prevent malicious attacks?

[Duncan <ap...@ring-wraith.com>]

Hi,

i recently encountered a fork-bomb on my server.
I havent had any experience with this kind of stuff before, so it took me quite a while to figuere out whats going on and how to remove it.
So, i would like to know, if there is any way, i can set apache or configure my server, so that such fork-bombs wont crash my server again?

Is there any kind of real-time protection, or is the only way to check the cgi-files for such content?

Sorry, i am really new to this and would like to learn more, so that such a thing won't happen again.
...i will never understand those guys, that do such stuff...

regards,

Duncan

Re: fork bombs ... how to prevent malicious attacks?

[Joshua Slive <jo...@slive.ca>]

On Sun, 31 Mar 2002, Duncan wrote:

> Hi,
>
> i recently encountered a fork-bomb on my server.
> I havent had any experience with this kind of stuff before, so it took
> me quite a while to figuere out whats going on and how to remove it.
> So, i would like to know, if there is any way, i can set apache or
> configure my server, so that such fork-bombs wont crash my server again?
>
> Is there any kind of real-time protection, or is the only way to check
> the cgi-files for such content?
>

You can look at the RLimit* directives.  These should tackle the simple
"while(1) fork();" things.  Of course, If you are allowed to run arbitrary
cgi scripts, then there are probably lots of different creative ways to
crash a server.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: fork bombs ... how to prevent malicious attacks?

[Ryan Thompson <ry...@sasknow.com>]

Duncan wrote to users@httpd.apache.org:

> Hi,
>
> i recently encountered a fork-bomb on my server.

Lucky you!

> I havent had any experience with this kind of stuff before, so it
> took me quite a while to figuere out whats going on and how to
> remove it. So, i would like to know, if there is any way, i can set
> apache or configure my server, so that such fork-bombs wont crash my
> server again?

This is mostly OS-specific. Check your operating system documentation
for details on how to set per-user limits on process creation, soft
and hard process limits, CPU and memory usage. Then, make sure that
your users' CGI scripts run as real users through suexec. Set
reasonable limits on processes, and fork bombs won't get very far.

That being said, most operating systems reserve a few PIDs for root in
the event that this happens, so you may still be able to log in as
root (in UNIX anyway) to kill the fork bomb yourself. However, it is
better, as you ask, to prevent this sort of thing from happening in
the first place.


> Is there any kind of real-time protection, or is the only way to
> check the cgi-files for such content?

It is pretty easy to code a fork bomb accidentally, and there are a
lot worse things that somebody could do (in an attempt) to hose your
server. User limits on processes is your best bet for 50% of things.
For the other 50%, appropriate filesystem permissions will help.

A good general reference on network security will answer similar
related questions that you might have.


> Sorry, i am really new to this and would like to learn more, so that
> such a thing won't happen again.
>
> ...i will never understand those guys, that do such stuff...
>
> regards,
>
> Duncan
>

-- 
  Ryan Thompson <ry...@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org