Hello,
It seems that no resolution was found for the route cache DoS issue
(am I wrong here?).
I was wondering, and I'd like to persue this line of thought if you
don't consider this stupid: wouldn't it be better, when we find that
the machine is under DoS to avoid creating route cache entries instead
of simply trying to drop entries that exist?
Couldn't we create entries only once for every 1<<n packets on
ip_route_input_slow so that flows with many packets will have route
cache entries created with higher probability than flows with very
little connections. The n variable could be adjusted according to
perceived DoS-ness.
Is this stupid?
Andre
|