[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: proposal: inetd improvements.
On Jun 2, 2010, at 1:05 26PM, Matthew Mondor wrote:
> On Wed, 02 Jun 2010 11:16:40 +0100
> elric%imrryr.org@localhost wrote:
>> I am thinking of using inetd to run a few services in a production
>> environment and in order to make it robust and featureful enough to
>> do so, I would like to make the following list of changes to it:
>> 1. maximum connexions per unit time is not a terribly
>> useful feature and in fact makes the use of inetd in
>> an enterprise unusable as it is a built-in denial of
>> service. I propose that we keep track of the number
>> of outstanding children and place a maximum on that
>> rather than connexions per second. Perhaps we can
>> leave connexions per unit time in the code but strongly
>> discourage its use,
> Per-client address connection limits and/or throttling are more useful
> than global throttling, IMO.
Global throttling isn't a security defense; it's a way to deal with failed
execs and the like.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Main Index |
Thread Index |