[Bro] Bro: TCP reassembly question
Vern Paxson
vern at icir.org
Fri Jan 27 00:52:40 PST 2006
> > What is the size of the reassembly buffer ? Does that grow ? till what
> > size does it grow ?
>
> That's a great question. I'm not aware of any cap on the total size of
> reassembly buffers.
Indeed, there isn't, other than exhausting memory. In a USENIX Security
paper last year with Sarang Dharmapurikar, we showed that in the absence
of an adversary attempting to exhaust this memory, the actual consumption
in operation is quite modest (10s to 100s of KBs). With an adversary, though,
it gets harder, and Bro at present is vulnerable to such an attack.
Vern
More information about the Bro
mailing list