[4672] in North American Network Operators' Group
Re: Crypto callback (was: New Denial of Service Attack on Panix)
daemon@ATHENA.MIT.EDU (Curtis Villamizar)
Tue Sep 24 11:28:25 1996
To: Avi Freedman <freedman@netaxs.com>
cc: egoshin@genesyslab.com (Leonid Egoshin), avg@quake.net, dvv@sprint.net,
iepg@iepg.org, nanog@merit.edu
Reply-To: curtis@ans.net
In-reply-to: Your message of "Mon, 23 Sep 1996 22:08:16 EDT."
<199609240208.WAA25022@netaxs.com>
Date: Tue, 24 Sep 1996 11:09:03 -0400
From: Curtis Villamizar <curtis@ans.net>
In message <199609240208.WAA25022@netaxs.com>, Avi Freedman writes:
>
> And, bottom line is: One way or another, there needs to be a better
> way (like a hash into an array) of storing PCBs for the kernel. And
> if you solve THAT problem, avoiding PCB-and-socket creation until the
> ACK of the SYN-ACK isn't even needed, I suspect.
Hashing the src/dst addr/port pairs, finding a candidate bucket, and
then reverting to a linked list (simple one level fixed bucket size
hashing) is very easy to do. Routing code used to do this until CIDR
made tree algorithms nessecary due to prefix overlap relationships.
And yes. BSDI already solved this although they did it to boost
performance when many legitimate PCBs were allocated on heavily loaded
HTTP servers. By luck (I think), it happens to also solve the SYN
attack problem (or at least require an attack of 1/3 T1 of SYN traffic).
The fancier algorithms you are talking about avoid the storage costs
of the PCB. They might be marginally faster due to having to allocate
and fill in less data structure. IMO its not worth it.
Curtis
