On Mon, Mar 21, 2016 at 08:25:59PM +1000, David Gwynne wrote: > how can i judge if this is better than just using a single hash with a strong > function?
The attack I see is that you can measure the bucket distribution by timing the SYN+ACK response. You can collect samples that end in the same bucket. After you have collected enough, start your DoS attack. I think that just collecting data is also possible with a strong hash function. With a weak function you may collect less and can start guessing early on top of that. But reseeding after a number of packets prevents to collect information over a long peroid. Unfortunately I have no analysis or prcatical experience with timing attacks. It is just a conclusion from reading the code. bluhm
