[Bro-Dev] Connection Compressor
jmellander at lbl.gov
Mon Aug 15 10:09:19 PDT 2011
We like setting record_state_history=T to record the flags that were seen
during the connection, and found that the connection compressor didn't play
nicely with that, in some cases.
On Mon, Aug 15, 2011 at 8:53 AM, Robin Sommer <robin at icir.org> wrote:
> On Mon, Aug 15, 2011 at 08:42 -0700, you wrote:
> > So just to confirm: for a high-speed SYN flooding attack, it's not much
> > help?
> I didn't try that (only "normal" traiffc) and it probably still helps
> with that. But that was only part of the original motivation, which
> started out from the general observation of many connections not
> getting established. And another piece of the story was the separate
> flood detector that starts sampling traffic from specific sources or
> destinations (Seth, is that ported already?)
> So I think the compressor still helps in some (extreme) situations,
> and generally, performance-wise it certainly doesn't hurt to have it.
> But I'm not sure it's worth the complexity: we keep running into
> issues with the changes in semantics it introduces, it's on a separate
> code path that needs to be integrated with all packet-level stuff, and
> as Gregor said, it would also need more than just maintainance work in
> the future, like adding IPv6 support.
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
> bro-dev mailing list
> bro-dev at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev