lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Mar 2007 23:03:04 +0100 From: Eric Dumazet <dada1@...mosbay.com> To: David Miller <davem@...emloft.net>, nikb@...master.com CC: netdev@...r.kernel.org Subject: Re: RFC: Established connections hash function David Miller a écrit : > From: "Nikolaos D. Bougalis" <nikb@...master.com> > Date: Thu, 22 Mar 2007 12:44:09 -0700 > >> People _have_ had problems. _I_ have had problems. And when >> someone with a few thousand drones under his control hoses your >> servers because he can do math and he leaves you with 20000-item >> long chains, _you_ will have problems. > > No need to further argue this point, the people that matter > (ie. me :-) understand it, don't worry.. Yes, I recall having one big server hit two years ago by an attack on tcp hash function. David sent me the patch to use jhash. It's performing well :) Welcome to the club :) ===== net/ipv4/tcp_ipv4.c 1.114 vs edited ===== --- 1.114/net/ipv4/tcp_ipv4.c 2005-03-26 15:04:35 -08:00 +++ edited/net/ipv4/tcp_ipv4.c 2005-04-05 13:39:52 -07:00 @@ -103,14 +103,15 @@ */ int sysctl_local_port_range[2] = { 1024, 4999 }; int tcp_port_rover = 1024 - 1; +static u32 tcp_v4_hash_rand; static __inline__ int tcp_hashfn(__u32 laddr, __u16 lport, __u32 faddr, __u16 fport) { - int h = (laddr ^ lport) ^ (faddr ^ fport); - h ^= h >> 16; - h ^= h >> 8; - return h & (tcp_ehash_size - 1); + return jhash_2words(laddr ^ faddr, + (lport << 16) | fport, + tcp_v4_hash_rand) & + (tcp_ehash_size - 1); } > static __inline__ int tcp_sk_hashfn(struct sock *sk) > @@ -2626,6 +2627,9 @@ > panic("Failed to create the TCP control socket.\n"); > tcp_socket->sk->sk_allocation = GFP_ATOMIC; > inet_sk(tcp_socket->sk)->uc_ttl = -1; > + > + get_random_bytes(&tcp_v4_hash_rand, 4); > + tcp_v4_hash_rand ^= jiffies; > > /* Unhash it so that IP input processing does not even > * see it, we do not wish this socket to see incoming > > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists