LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices

Reply
 
Search this Thread
Old 02-04-2008, 12:50 PM   #1
blindmatrix
LQ Newbie
 
Registered: Feb 2008
Posts: 3

Rep: Reputation: 0
Process group - Feature idea and input wanted


Hello, I have an idea on a new feature that could possibly give a higher of system level D-DOS protection and I want your input and if it's positive I'd also wanna know how to make my idea heard, I'm not ready to add this feature myself :P

The concept is to form a process group, like when apache's started all the forks should be marked as a single big entity so that resources are throttled as such. Like an IO fairness queue should not divide the resources to all the system processes, including all apaches childes, but it should count ALL childes as a single entity so that when the load is heavy it ALL childes should get as much IO time as SSH or other services...?

Get my idea? The concept would then be to run a system call before starting fork()s and exec()s that would group them as such

processgroup_enable();
for(each process to be started)
fork();

so the processgroup setting should be shared for every child...

Now for the input, is this a good idea? Anyone had the same idea before? Pros and cons? Even if this isn't considered a good idea I would still like to know what people's reactions are

/Sven
 
Old 02-04-2008, 07:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Aren't (distributed) DoSses remotely controlled network resource exhaustion attacks? I mean shouldn't that imply placing mitigating stuff in front of the "victim", network-wise?
 
Old 02-04-2008, 09:57 PM   #3
blindmatrix
LQ Newbie
 
Registered: Feb 2008
Posts: 3

Original Poster
Rep: Reputation: 0
The concept that I'm thinking about is more to limit the damage when an attack is running by limiting the time that services can steal from other services like a file IO queue, send() recv() queues and such...
 
Old 02-05-2008, 07:26 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by blindmatrix View Post
The concept that I'm thinking about is more to limit the damage when an attack is running by limiting the time that services can steal from other services like a file IO queue, send() recv() queues and such...
Then you should start by defining what "damage" is and what constitutes an "attack". I mean, those are human interpretations of a situation, right? I mean, on a box with 64G RAM I may *want* to accept 20K sockets and it wouldn't constitute an attack. If that's not what you mean then maybe you mean something like "create a separate scheduler class for all processes belonging to one SID"?
 
Old 02-05-2008, 04:05 PM   #5
blindmatrix
LQ Newbie
 
Registered: Feb 2008
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Then you should start by defining what "damage" is and what constitutes an "attack". I mean, those are human interpretations of a situation, right? I mean, on a box with 64G RAM I may *want* to accept 20K sockets and it wouldn't constitute an attack. If that's not what you mean then maybe you mean something like "create a separate scheduler class for all processes belonging to one SID"?
True, "damage" in my case is that the machine freezes, not that the webserver dies... In systems when one computer serves more tasks then just a webserver, like mail and databases and such, all in one box. To prevent the webserver from eating up to much of the scheduled time, but as I stated I want ideas, more of a discussion then "give me this"...

But I guess that an alternative scheduler is what I'm thinking about, both for disk I/O and CPU time... and possibly network fairness queues too...

The idea felt so good a few days ago but I'm starting to think that it wasn't as good at all :P...

The result should be something simular to putting a few machines under Xen and telling it to partition resources it evenly to all DomUs, but on a single system basis, so that services have a guarantee to get some time slices...

Considering the existing fairness support things looks good, if all subsystems only run a single process and thread. Then all services would get an somewhat equal slice of cpu and io, but the problem starts when a single service takes up more then 1 piece of time requesters. Like some sort of DOS attack which would result in the server being booged down in waiting disk IO of the disk IO channels where slow... however, if no other process requires attention then one process should be able to take 100% for itself, but say that apache is extremely heavily loaded, and so is your MTA, then it's likely that other services won't get that much time allocated... as there will be ~100 units of time allocated to the ~100 instances of apache, and say ~50 units allocated to the ~50 processes of you MTA, and then our beloved ssh server, who only has 2 processes running at this time will only get 2 units of time, this leaving the ~1.3% of the system avalible to ssh... Under these conditions it would be much nicer if the web server got 1 slot of time, the MTA got 1 slot of time and the SSH server would also get 1 slot of time, that means that the SSH servers 2 processes would get a lot more time per process then the webservers...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Weird touchpad feature no idea how to disable SickNick Ubuntu 2 11-29-2007 12:35 AM
Is there a way to know what is the group a process is running as? Akhran Linux - Newbie 3 04-15-2007 09:35 AM
No idea what's going on (about chinese input using SCIM) MichaelYoung Debian 1 10-19-2006 07:54 AM
HELP: How To Install Chinese Input Group In Ubuntu benben_shen Ubuntu 8 11-27-2005 03:24 AM
New feature idea: Linux distro chooser wizard! sewer_monkey LQ Suggestions & Feedback 23 06-29-2002 10:53 AM


All times are GMT -5. The time now is 05:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration