In message: <20021205073415.6BB32A@proven.weird.com>
            woods@weird.com (Greg A. Woods) writes:
: [ On Thursday, December 5, 2002 at 08:10:13 (+0100), Havard Eidnes wrote: ]
: > Subject: Re: Fork bomb protection patch
: >
: > > an admin can come by and kill them off, though.
: > 
: > ...with great effort and a bit of luck,
: 
: It's not that hard -- especially not if you've got a whole ten spare
: process slots to play with.  What joy!  What bliss!

Actually, yes it is hard.  I've cleaned up from several fork bombs and
you gotta get the right ps | grep | xargs kill right or the fork bomb
surives.  Even then there is a race between the ps and more processes
forking.  I usually have to run my ps | grep| xargs kill command
several times in a row to completely kill the forkbomb w/o a rate
limiter.

: It's not even hard with just one slot (and a shell built-in kill
: command), once you learn the tricks, especially if you have cut&paste
: with your xterm window and some other handy tools running on some fast
: responding local workstation.

If processes are coming and going quickly, cut and paste is useless.
By the time you get to paste, that process is long gone.

: > To quote the FreeBSD commit log message at
: > 
: >   http://docs.freebsd.org/cgi/getmsg.cgi?fetch=614295+0+archive/2002/cvs-all/20020224.cvs-all
: > 
: >  - Force any process trying to fork beyond its user's maximum
: >    number of processes to sleep for .5 seconds before returning
: >    failure.  This turns 2000 rampaging fork monsters into 2000
: >    harmlessly snoozing fork monsters.
: 
: That's clearly the wrong solution to the problem.

Strange, but it works great for me.  before the commit, I had lots of
problems with forkbombs on systems that I had to deal with.  After the
commit, I've not had these problems (even to the point of not really
noticing the fork bomb for a few days).  That seems like a huge
improvement to me.

Having lived several months in the forkbomb free zone of freebsd shows
that this change is very worth while.

Warner