[Bro-Dev] Connection Compressor

Jim Mellander jmellander at lbl.gov
Mon Aug 15 10:09:19 PDT 2011


We like setting record_state_history=T to record the flags that were seen
during the connection, and found that the connection compressor didn't play
nicely with that, in some cases.

On Mon, Aug 15, 2011 at 8:53 AM, Robin Sommer <robin at icir.org> wrote:

> On Mon, Aug 15, 2011 at 08:42 -0700, you wrote:
> > So just to confirm: for a high-speed SYN flooding attack, it's not much
> > help?
> I didn't try that (only "normal" traiffc) and it probably still helps
> with that. But that was only part of the original motivation, which
> started out from the general observation of many connections not
> getting established. And another piece of the story was the separate
> flood detector that starts sampling traffic from specific sources or
> destinations (Seth, is that ported already?)
> So I think the compressor still helps in some (extreme) situations,
> and generally, performance-wise it certainly doesn't hurt to have it.
> But I'm not sure it's worth the complexity: we keep running into
> issues with the changes in semantics it introduces, it's on a separate
> code path that needs to be integrated with all packet-level stuff, and
> as Gregor said, it would also need more than just maintainance work in
> the future, like adding IPv6 support.
> Robin
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110815/b19d89bc/attachment-0001.html 

More information about the bro-dev mailing list