Re: CERT vulnerability note VU# 539363 (fwd)

[Darren Reed <darrenr () reed wattle id au>]

Mike's "reference" here is the hash table IPFilter uses (maybe others).
FWIW, it gets distributed with a predefined size and most likely most
people never change this.  That said, nobody has ever come to me and
said "here's a patch to fix it" or "my firewall is running like a dog
because of this attack".  Be that as it may, code has been in place for
some time to address this issue, in future, using a secret.

In some email I received from Miles Sabin, sie wrote:
[ Charset ISO-8859-1 unsupported, converting... ]
> Mike Frantzen wrote,
> > The problem with a hashed state table is that hash tables are very
> > easy to attack.  The use of collision chains (linked lists) would let
> > an attack totally blow out the D$ and TLB.  I've make a sun U10
> > 440mhz w/ 2MB L2 grind to a halt w/ 5 packets a second after a long
> > series of collisions.
>
> Interesting ... the idea being that with knowledge of the hash function 
> an attacker could manufacture enough collisions to push the hash table 
> to the O(n) worst case?
>
> Couldn't that attack be frustrated by a more sophisticated hash function 
> parameterized with a local secret (ie. the attacker would need to know 
> the secret as well as the function before they could reliably generate 
> collisions)?

Yup.

> Or would that make the hash function too computationally expensive?

I can't see how it would.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards