|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Crypto callback (was: New Denial of Service Attack on Panix)
In message <[email protected]>, Avi Freedman writes: > > And, bottom line is: One way or another, there needs to be a better > way (like a hash into an array) of storing PCBs for the kernel. And > if you solve THAT problem, avoiding PCB-and-socket creation until the > ACK of the SYN-ACK isn't even needed, I suspect. Hashing the src/dst addr/port pairs, finding a candidate bucket, and then reverting to a linked list (simple one level fixed bucket size hashing) is very easy to do. Routing code used to do this until CIDR made tree algorithms nessecary due to prefix overlap relationships. And yes. BSDI already solved this although they did it to boost performance when many legitimate PCBs were allocated on heavily loaded HTTP servers. By luck (I think), it happens to also solve the SYN attack problem (or at least require an attack of 1/3 T1 of SYN traffic). The fancier algorithms you are talking about avoid the storage costs of the PCB. They might be marginally faster due to having to allocate and fill in less data structure. IMO its not worth it. Curtis - - - - - - - - - - - - - - - - -
|