Denial of Service on Bro via Scott Crosby and Dan Wallach's method...fixedin bro-pub-0.8a32?

Jim Mellander jmellander at
Mon Jul 14 09:54:36 PDT 2003

Ruoming Pang wrote:
> Jim,
> Thanks for your suggestion. Yes, we are looking for an implementation of a
> *universal* hash function (e.g. one option is to find a stable
> implementation of UMAC). I'd love to hear if you have any suggestion on
> this regard.
> As to the hash function you suggested, I think it would suffer the same
> kind of DoS attack. Scott's paper explains it quite well -- the problem
> with the original function is that it first reduces the value down to a
> 32-bit value with a simple function, and it is easy to find collisions for
> this step so that the attacker can generate numerous strings that will be
> reduced to the same 32-bit number. Afterwards, no matter what you do on
> the 32-bit number can prevent collisions.
> Ruoming

Hmm, thats a good point - the reduction to a 32-bit number would still
be predictable.  Why not apply the xor function to the input, then,
before the reduction takes place? - this presumably would remove the
predictability of the reduction step.

Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

Your fortune for today is:

Save energy:  Drive a smaller shell.

More information about the Bro mailing list