On 10/9/18 0810 UTC, Daniel P. Berrangé wrote:
AFAICT, the TCP receive buffer size is about 200 KB per socket.
With the current nfile=4096, it looks like a single process
can already consume 200 KB * 4096 = ~800 MB of RAM just by
using TCP sockets.
IOW, does the nfiles limit make a real world difference to
avoiding memory DOS, if you can just pick a different DOS
attack vector instead?
Yes, it does. The attacker might not think of TCP.
Also, the usual successful TCP connection requires cooperation
from a "far" endpoint, which can be cumbersome to arrange.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
