[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7372f788762140d496c157813b0173e5@AcuMS.aculab.com>
Date: Wed, 27 Apr 2022 08:07:29 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Willy Tarreau' <w@....eu>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
"Eric Dumazet" <edumazet@...gle.com>,
Moshe Kol <moshe.kol@...l.huji.ac.il>,
"Yossi Gilad" <yossi.gilad@...l.huji.ac.il>,
Amit Klein <aksecurity@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH net 6/7] tcp: increase source port perturb table to 2^16
From: Willy Tarreau
> Sent: 27 April 2022 07:53
>
> Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately
> identify a client by forcing it to emit only 40 times more connections
> than there are entries in the table_perturb[] table. The previous two
> improvements consisting in resalting the secret every 10s and adding
> randomness to each port selection only slightly improved the situation,
> and the current value of 2^8 was too small as it's not very difficult
> to make a client emit 10k connections in less than 10 seconds.
>
> Thus we're increasing the perturb table from 2^8 to 2^16 so that the the
> same precision now requires 2.6M connections, which is more difficult in
> this time frame and harder to hide as a background activity. The impact
> is that the table now uses 256 kB instead of 1 kB, which could mostly
> affect devices making frequent outgoing connections. However such
> components usually target a small set of destinations (load balancers,
> database clients, perf assessment tools), and in practice only a few
> entries will be visited, like before.
Increasing the table size has a bigger impact on anyone trying
to get the kernel to run in a limited memory footprint.
All these large tables (often hash tables) soon add up.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists