[Bug 1179820] New: Kerberos KDC connection limit too low

[Greg Hudson]

On 01/22/2015 09:56 AM, Roland C. Dowdeswell wrote:
> A simple heuristic approach that would likely do what you want
> would be to simply check the fd returned by accept(2) and if it is
> ``too close'' to the ulimit then switch off accepting connexions.

1. We don't currently use getrlimit(), and beginning to do so would
require thinking about its portability.  That's a source of complexity.

2. This method does not take into account memory limitations, only fd
limitations.

3. This method requires an estimate of how many fds the KDC might use
during processing of currently pending requests.

4. If we switch off accepting new connections, an attacker can DOS the
TCP portion of the KDC by simply filling up the connection table and
doing nothing.  If we discard old connections as we currently do, the
attacker has to keep creating connections, and some legitimate requests
might still get through.

> This approach has the added advantage of using existing configuration
> to determine the limit rather than creating new configuration
> settings that admins would need to learn how to manage.

We can't really inquire from the environment how much memory it is
reasonable for the KDC to use (or even how much it is currently using,
which isn't a simple number in the age of copy-on-write), so I don't
think we can automatically determine a good connection limit.