On Sun, 3 Apr 2005 05:32:24 +1000
Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> On Sat, Apr 02, 2005 at 03:48:32PM +0200, Robert Olsson wrote:
> >
> > > Crashes usually occurs when secret_interval interval is elapsed :
> > rt_cache_flush(0); is called, and the whole machine begins to die.
> >
> > A good idea to increase the secret_interval interval but it should survive.
>
> Incidentally we should change the way the rehashing is triggered.
> Instead of doing it regularly, we can do it when we notice that a
> specific hash chain grows beyond a certain size.
>
> The idea is that if someone is attacking our hash then they can
> only do so by lengthening the chains. If they're not doing that
> then even if they knew how to attack us we don't really care.
Yes, the secret_interval is way too short. It is a very paranoid
default value selected when initially fixing that DoS.
I think we should, in the short term, increase the secret interval
where it exists in the tree (netfilter conntrack is another instance
for example).
|