Re: Extensible hashing and RCU

[Eric Dumazet <dada1@cosmosbay.com>]

On Tuesday 20 February 2007 16:49, Michael K. Edwards wrote:
> On 2/20/07, Evgeniy Polyakov <johnpol@2ka.mipt.ru> wrote:
> > Jenkins _does_ have them, I showed tests half a year ago and in this
> > thread too. Actually _any_ hash has them it is just a matter of time
> > to find one.
>
> I think you misunderstood me.  If you are trying to DoS me from
> outside with a hash collision attack, you are trying to feed me
> packets that fall into the same hash bucket.  The Jenkins hash does
> not have to be artifact-free, and does not have to be
> cryptographically strong.  It just has to do a passable job of mixing
> a random salt into the tuple, so you don't know which string of
> packets to feed me in order to fill one (or a few) of my buckets.
> XORing salt into a folded tuple doesn't help; it just permutes the
> buckets.

Yes. I must say I had an attack like that some years ago on one particular 
server : Some tcp ehash chains had a length > 1000. I had to plug jenkin hash 
to stop the attack (thanks to David :), and thanks to oprofile to let me 
understand what was happening )

The attacker was controlling several thousand of zombies and was able to 
choose its src port (knowing its src ip addr) to target *one* particular hash 
bucket on my web server.

Each zombie was opening one tcp socket only, so a firewall could not detect 
them, they had a absolutely normal behavior.

XOR, combined with the 16 bits range of src port, permits a lot of easy 
guessing for the attacker (since it knows the ehash_size of target is a power 
of two...)