Re: proposal: inetd improvements.

To: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
Subject: Re: proposal: inetd improvements.
From: Steven Bellovin <smb%cs.columbia.edu@localhost>
Date: Wed, 2 Jun 2010 13:11:59 -0400

On Jun 2, 2010, at 1:05 26PM, Matthew Mondor wrote:

> On Wed, 02 Jun 2010 11:16:40 +0100
> elric%imrryr.org@localhost wrote:
> 
>> I am thinking of using inetd to run a few services in a production
>> environment and in order to make it robust and featureful enough to
>> do so, I would like to make the following list of changes to it:
>> 
>>      1.  maximum connexions per unit time is not a terribly
>>          useful feature and in fact makes the use of inetd in
>>          an enterprise unusable as it is a built-in denial of
>>          service.  I propose that we keep track of the number
>>          of outstanding children and place a maximum on that
>>          rather than connexions per second.  Perhaps we can
>>          leave connexions per unit time in the code but strongly
>>          discourage its use,
> 
> Per-client address connection limits and/or throttling are more useful
> than global throttling, IMO.

Global throttling isn't a security defense; it's a way to deal with failed 
execs and the like.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

References:
- proposal: inetd improvements.
  - From: elric
- Re: proposal: inetd improvements.
  - From: Matthew Mondor

Prev by Date: Re: proposal: inetd improvements.
Next by Date: Re: proposal: inetd improvements.
Previous by Thread: Re: proposal: inetd improvements.
Next by Thread: Re: proposal: inetd improvements.
Indexes:

Home | Main Index | Thread Index | Old Index