[Bug 192888] ipfw NAT vulnerable to simple DOS attacks
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192888 Lutz Donnerhacke changed: What|Removed |Added Resolution|--- |FIXED Status|In Progress |Closed --- Comment #11 from Lutz Donnerhacke --- Seems to be solved. Hopefully. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 192888] ipfw NAT vulnerable to simple DOS attacks
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192888 Lutz Donnerhacke changed: What|Removed |Added Flags||mfc-stable13+, ||mfc-stable12+ -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 192888] ipfw NAT vulnerable to simple DOS attacks
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192888 --- Comment #10 from commit-h...@freebsd.org --- A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1883127de4888b2a30a6cb51e8fb4bdf33b7f411 commit 1883127de4888b2a30a6cb51e8fb4bdf33b7f411 Author: Lutz Donnerhacke AuthorDate: 2021-05-27 21:42:54 + Commit: Lutz Donnerhacke CommitDate: 2021-07-06 07:10:02 + libalias: Switch to SPLAY trees Current data structure is using a hash of unordered lists. Those unordered lists are quite efficient, because the least recently inserted entries are most likely to be used again. In order to avoid long search times in other cases, the lists are hashed into many buckets. Unfortunatly a search for a miss needs an exhaustive inspection and a careful definition of the hash. Splay trees offer a similar feature - almost O(1) for access of the least recently used entries), and amortized O(ln(n) - for almost all other cases. Get rid of the hash. Now the data structure should able to quickly react to external packets without eating CPU cycles for breakfast, preventing a DoS. PR: 192888 Discussed with: Dimitry Luhtionov Differential Revision: https://reviews.freebsd.org/D30516 Differential Revision: https://reviews.freebsd.org/D30536 Differential Revision: https://reviews.freebsd.org/D30844 (cherry picked from commit 935fc93af157dee352eb4b6c83f8a2a9e7fd9a4e) (cherry picked from commit d261e57deacb0d00d9e827447f235df83dda3e3a) (cherry picked from commit f70c98a2f5d993dc518efd606aa341eda99400ef) (cherry picked from commit 25392fac9488bcae5c451500df2e2945430484a6) (cherry picked from commit 2f4d91f9cb22fc65eb65407e8118b433a5d71976) (cherry picked from commit 4060e77f49d1b9fd2254f3f4da94fd64fce83f72) sys/netinet/libalias/HISTORY | 3 +- sys/netinet/libalias/alias_db.c | 502 +++--- sys/netinet/libalias/alias_db.h (new) | 443 ++ sys/netinet/libalias/alias_local.h| 10 +- 4 files changed, 489 insertions(+), 469 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 192888] ipfw NAT vulnerable to simple DOS attacks
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192888 --- Comment #9 from commit-h...@freebsd.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3a96a25da8614d27f717ba8d29d32bafb04a70e8 commit 3a96a25da8614d27f717ba8d29d32bafb04a70e8 Author: Lutz Donnerhacke AuthorDate: 2021-05-27 21:42:54 + Commit: Lutz Donnerhacke CommitDate: 2021-07-06 06:55:53 + libalias: Switch to SPLAY trees Current data structure is using a hash of unordered lists. Those unordered lists are quite efficient, because the least recently inserted entries are most likely to be used again. In order to avoid long search times in other cases, the lists are hashed into many buckets. Unfortunatly a search for a miss needs an exhaustive inspection and a careful definition of the hash. Splay trees offer a similar feature - almost O(1) for access of the least recently used entries), and amortized O(ln(n) - for almost all other cases. Get rid of the hash. Now the data structure should able to quickly react to external packets without eating CPU cycles for breakfast, preventing a DoS. PR: 192888 Discussed with: Dimitry Luhtionov Differential Revision: https://reviews.freebsd.org/D30516 Differential Revision: https://reviews.freebsd.org/D30536 Differential Revision: https://reviews.freebsd.org/D30844 (cherry picked from commit 935fc93af157dee352eb4b6c83f8a2a9e7fd9a4e) (cherry picked from commit d261e57deacb0d00d9e827447f235df83dda3e3a) (cherry picked from commit f70c98a2f5d993dc518efd606aa341eda99400ef) (cherry picked from commit 25392fac9488bcae5c451500df2e2945430484a6) (cherry picked from commit 2f4d91f9cb22fc65eb65407e8118b433a5d71976) (cherry picked from commit 4060e77f49d1b9fd2254f3f4da94fd64fce83f72) sys/netinet/libalias/HISTORY | 3 +- sys/netinet/libalias/alias_db.c | 502 +++--- sys/netinet/libalias/alias_db.h (new) | 443 ++ sys/netinet/libalias/alias_local.h| 10 +- 4 files changed, 489 insertions(+), 469 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug.
