Denial of Service on Bro via Scott Crosby and Dan Wallach's method...fixedin bro-pub-0.8a32?
jmellander at lbl.gov
Mon Jul 14 09:54:36 PDT 2003
Ruoming Pang wrote:
> Thanks for your suggestion. Yes, we are looking for an implementation of a
> *universal* hash function (e.g. one option is to find a stable
> implementation of UMAC). I'd love to hear if you have any suggestion on
> this regard.
> As to the hash function you suggested, I think it would suffer the same
> kind of DoS attack. Scott's paper explains it quite well -- the problem
> with the original function is that it first reduces the value down to a
> 32-bit value with a simple function, and it is easy to find collisions for
> this step so that the attacker can generate numerous strings that will be
> reduced to the same 32-bit number. Afterwards, no matter what you do on
> the 32-bit number can prevent collisions.
Hmm, thats a good point - the reduction to a 32-bit number would still
be predictable. Why not apply the xor function to the input, then,
before the reduction takes place? - this presumably would remove the
predictability of the reduction step.
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
Your fortune for today is:
Save energy: Drive a smaller shell.
More information about the Bro