Re: Crypto callback (was: New Denial of Service Attack on Panix)

[Curtis Villamizar <curtis () ans net>]

In message <199609240208.WAA25022 () netaxs com>, Avi Freedman writes:
> And, bottom line is:  One way or another, there needs to be a better
> way (like a hash into an array) of storing PCBs for the kernel.  And
> if you solve THAT problem, avoiding PCB-and-socket creation until the
> ACK of the SYN-ACK isn't even needed, I suspect.

Hashing the src/dst addr/port pairs, finding a candidate bucket, and
then reverting to a linked list (simple one level fixed bucket size
hashing) is very easy to do.  Routing code used to do this until CIDR
made tree algorithms nessecary due to prefix overlap relationships.

And yes.  BSDI already solved this although they did it to boost
performance when many legitimate PCBs were allocated on heavily loaded
HTTP servers.  By luck (I think), it happens to also solve the SYN
attack problem (or at least require an attack of 1/3 T1 of SYN traffic).

The fancier algorithms you are talking about avoid the storage costs
of the PCB.  They might be marginally faster due to having to allocate
and fill in less data structure.  IMO its not worth it.

Curtis

- - - - - - - - - - - - - - - - -