tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: proposal: inetd improvements.

On Jun 2, 2010, at 1:05 26PM, Matthew Mondor wrote:

> On Wed, 02 Jun 2010 11:16:40 +0100
> wrote:
>> I am thinking of using inetd to run a few services in a production
>> environment and in order to make it robust and featureful enough to
>> do so, I would like to make the following list of changes to it:
>>      1.  maximum connexions per unit time is not a terribly
>>          useful feature and in fact makes the use of inetd in
>>          an enterprise unusable as it is a built-in denial of
>>          service.  I propose that we keep track of the number
>>          of outstanding children and place a maximum on that
>>          rather than connexions per second.  Perhaps we can
>>          leave connexions per unit time in the code but strongly
>>          discourage its use,
> Per-client address connection limits and/or throttling are more useful
> than global throttling, IMO.

Global throttling isn't a security defense; it's a way to deal with failed 
execs and the like.

                --Steve Bellovin,

Home | Main Index | Thread Index | Old Index