David Miller a écrit :
From: "Nikolaos D. Bougalis" <[EMAIL PROTECTED]>
Date: Thu, 22 Mar 2007 12:44:09 -0700
People _have_ had problems. _I_ have had problems. And when
someone with a few thousand drones under his control hoses your
servers because he can do math and he leaves you with 20000-item
long chains, _you_ will have problems.
No need to further argue this point, the people that matter
(ie. me :-) understand it, don't worry..
Yes, I recall having one big server hit two years ago by an attack on tcp hash
function. David sent me the patch to use jhash. It's performing well :)
Welcome to the club :)
===== net/ipv4/tcp_ipv4.c 1.114 vs edited =====
--- 1.114/net/ipv4/tcp_ipv4.c 2005-03-26 15:04:35 -08:00
+++ edited/net/ipv4/tcp_ipv4.c 2005-04-05 13:39:52 -07:00
@@ -103,14 +103,15 @@
*/
int sysctl_local_port_range[2] = { 1024, 4999 };
int tcp_port_rover = 1024 - 1;
+static u32 tcp_v4_hash_rand;
static __inline__ int tcp_hashfn(__u32 laddr, __u16 lport,
__u32 faddr, __u16 fport)
{
- int h = (laddr ^ lport) ^ (faddr ^ fport);
- h ^= h >> 16;
- h ^= h >> 8;
- return h & (tcp_ehash_size - 1);
+ return jhash_2words(laddr ^ faddr,
+ (lport << 16) | fport,
+ tcp_v4_hash_rand) &
+ (tcp_ehash_size - 1);
}
> static __inline__ int tcp_sk_hashfn(struct sock *sk)
> @@ -2626,6 +2627,9 @@
> panic("Failed to create the TCP control socket.\n");
> tcp_socket->sk->sk_allocation = GFP_ATOMIC;
> inet_sk(tcp_socket->sk)->uc_ttl = -1;
> +
> + get_random_bytes(&tcp_v4_hash_rand, 4);
> + tcp_v4_hash_rand ^= jiffies;
>
> /* Unhash it so that IP input processing does not even
> * see it, we do not wish this socket to see incoming
>
>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
