lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALnjE+oEKGakFMZvSBir3OUmMdQmZdF2+YEy5kDV=P=_BNKU4Q@mail.gmail.com>
Date:	Mon, 4 Aug 2014 12:35:59 -0700
From:	Pravin Shelar <pshelar@...ira.com>
To:	David Miller <davem@...emloft.net>
Cc:	netdev <netdev@...r.kernel.org>
Subject: Re: [GIT net-next] Open vSwitch

On Sun, Aug 3, 2014 at 9:21 PM, David Miller <davem@...emloft.net> wrote:
> From: Pravin Shelar <pshelar@...ira.com>
> Date: Sun, 3 Aug 2014 12:20:32 -0700
>
>> On Sat, Aug 2, 2014 at 3:16 PM, David Miller <davem@...emloft.net> wrote:
>>> From: Pravin B Shelar <pshelar@...ira.com>
>>> Date: Thu, 31 Jul 2014 16:57:37 -0700
>>>
>>>> Following patch adds mask cache so that we do not need to iterate over
>>>> all entries in mask list on every packet. We have seen good performance
>>>> improvement with this patch.
>>>
>>> How much have you thought about the DoS'ability of openvswitch's
>>> datastructures?
>>>
>> This cache is populated by flow lookup in fast path. The mask cache is
>> fixed in size. Userspace or number of packets can not change its size.
>> Memory is statically allocated, no garbage collection. So DoS attack
>> can not exploit this cache to increase ovs memory footprint.
>
> An attacker can construct a packet sequence such that every mask cache
> lookup misses, making the cache effectively useless.

Yes, but it does work in normal traffic situations. I have posted
performance numbers in the cover letter.
Under DoS attack as you said attacker need to build sequence of
packets to make cache ineffective. Which results in cache miss and a
full in-kernel flow lookup. Therefore with this cache there is one
more lookup done under DoS. But this is not very different than
current OVS anyways.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ