[Bro-Dev] Connection Compressor
Gregor Maier
gregor at icir.org
Mon Aug 15 19:40:34 PDT 2011
On 8/15/11 8:42 , Vern Paxson wrote:
>> I've done some measurements as well now and can confirm this. With
>> master in default mode, I also see only tiny savings in time and
>> memory.
>
> So just to confirm: for a high-speed SYN flooding attack, it's not much
> help? That was the original motivation, after all.
FYI
I've done some tests with a trace that contains only SYNs. The trace has
10M syns and spans approx. 20min. I've also made the trace "faster" by
changing the timestamps:
original (20min)
* 227s 100MB with CC
* 354s 320MB without
compressed to 2min
* 221s 780MB with
* 373s 2029MB without
compressed to 1min
* 219s 1915MB with
* 404s 5308MB without
compressed to 1min, tcp_SYN_timeout set to 1sec (instead of 5sec)
* 219s 398MB with
* 349s 714MB without
So, the compressor helps for massive SYN storms but IMHO not enough to
make it worthwhile keeping it considering all the other tradeoffs
mentioned in this thread.
cu
Gregor
--
Gregor Maier
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/
More information about the bro-dev
mailing list