[Bro-Dev] Connection Compressor

Robin Sommer robin at icir.org
Mon Aug 15 08:53:59 PDT 2011

On Mon, Aug 15, 2011 at 08:42 -0700, you wrote:

> So just to confirm: for a high-speed SYN flooding attack, it's not much
> help?

I didn't try that (only "normal" traiffc) and it probably still helps
with that. But that was only part of the original motivation, which
started out from the general observation of many connections not
getting established. And another piece of the story was the separate
flood detector that starts sampling traffic from specific sources or
destinations (Seth, is that ported already?)

So I think the compressor still helps in some (extreme) situations,
and generally, performance-wise it certainly doesn't hurt to have it.
But I'm not sure it's worth the complexity: we keep running into
issues with the changes in semantics it introduces, it's on a separate
code path that needs to be integrated with all packet-level stuff, and
as Gregor said, it would also need more than just maintainance work in
the future, like adding IPv6 support.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list