[Bug 192888] ipfw NAT vulnerable to simple DOS attacks

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 19 Jun 2021 20:28:45 +0000

--- Comment #7 from commit-hook_at_FreeBSD.org ---
A commit in branch main references this bug:


commit d261e57deacb0d00d9e827447f235df83dda3e3a
Author:     Lutz Donnerhacke <donner_at_FreeBSD.org>
AuthorDate: 2021-05-28 20:36:59 +0000
Commit:     Lutz Donnerhacke <donner_at_FreeBSD.org>
CommitDate: 2021-06-19 20:12:28 +0000

    libalias: Switch to efficient data structure for incoming traffic

    Current data structure is using a hash of unordered lists.  Those
    unordered lists are quite efficient, because the least recently
    inserted entries are most likely to be used again.  In order to avoid
    long search times in other cases, the lists are hashed into many
    buckets.  Unfortunatly a search for a miss needs an exhaustive
    inspection and a careful definition of the hash.

    Splay trees offer a similar feature: Almost O(1) for access of the
    least recently used entries, and amortized O(ln(n)) for almost all
    other cases.  Get rid of the hash.

    Now the data structure should able to quickly react to external
    packets without eating CPU cycles for breakfast, preventing a DoS.

    PR:             192888
    Discussed with: Dimitry Luhtionov
    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D30536

 sys/netinet/libalias/alias_db.c    | 75 +++++++++++++++++---------------------
 sys/netinet/libalias/alias_local.h |  6 +--
 2 files changed, 36 insertions(+), 45 deletions(-)

You are receiving this mail because:
You are on the CC list for the bug.
Received on Sat Jun 19 2021 - 20:28:45 UTC

Original text of this message