[Bro-Dev] Connection Compressor

Gregor Maier gregor at icir.org
Mon Aug 15 19:40:34 PDT 2011

On 8/15/11 8:42 , Vern Paxson wrote:
>> I've done some measurements as well now and can confirm this. With
>> master in default mode, I also see only tiny savings in time and
>> memory.
> So just to confirm: for a high-speed SYN flooding attack, it's not much
> help?  That was the original motivation, after all.

I've done some tests with a trace that contains only SYNs. The trace has 
10M syns and spans approx. 20min. I've also made the trace "faster" by 
changing the timestamps:

original (20min)
	* 227s 100MB with CC
	* 354s 320MB without
compressed to 2min
	* 221s  780MB with
	* 373s 2029MB without
compressed to 1min
	* 219s 1915MB with
	* 404s 5308MB without
compressed to 1min, tcp_SYN_timeout set to 1sec (instead of 5sec)
	* 219s  398MB with
	* 349s  714MB without

So, the compressor helps for massive SYN storms but IMHO not enough to 
make it worthwhile keeping it considering all the other tradeoffs 
mentioned in this thread.

Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

