Denial of Service on Bro via Scott Crosby and Dan Wallach's method...fixedin bro-pub-0.8a32?
Jim Mellander
jmellander at lbl.gov
Mon Jul 14 09:54:36 PDT 2003
Ruoming Pang wrote:
>
<snip>
>
> Jim,
>
> Thanks for your suggestion. Yes, we are looking for an implementation of a
> *universal* hash function (e.g. one option is to find a stable
> implementation of UMAC). I'd love to hear if you have any suggestion on
> this regard.
>
> As to the hash function you suggested, I think it would suffer the same
> kind of DoS attack. Scott's paper explains it quite well -- the problem
> with the original function is that it first reduces the value down to a
> 32-bit value with a simple function, and it is easy to find collisions for
> this step so that the attacker can generate numerous strings that will be
> reduced to the same 32-bit number. Afterwards, no matter what you do on
> the 32-bit number can prevent collisions.
>
> Ruoming
Hmm, thats a good point - the reduction to a 32-bit number would still
be predictable. Why not apply the xor function to the input, then,
before the reduction takes place? - this presumably would remove the
predictability of the reduction step.
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
Your fortune for today is:
Save energy: Drive a smaller shell.
More information about the Bro
mailing list