mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-10 10:10:00 -04:00
[9.20] fix: usr: Prevent crafted queries from degrading RRL performance
With response rate limiting enabled, an attacker sending queries from many spoofed source addresses could steer entries into the same slot of the internal rate-limit table and slow down query processing on the affected server. The table now uses a per-process keyed hash so the placement of entries cannot be predicted or influenced from the network. Closes #5906 Backport of MR !11950 Merge branch 'backport-5906-rrl-hash-collision-dos-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11952
This commit is contained in:
Ondřej Surý
commit
bf4cdca7e9
1 changed files with 8 additions and 8 deletions
|
|
@ -22,6 +22,8 @@
|
|||
#include <inttypes.h>
|
||||
#include <stdbool.h>
|
||||
|
||||
#include <isc/hash.h>
|
||||
#include <isc/log.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/netaddr.h>
|
||||
|
|
@ -374,14 +376,12 @@ key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) {
|
|||
|
||||
static uint32_t
|
||||
hash_key(const dns_rrl_key_t *key) {
|
||||
uint32_t hval;
|
||||
int i;
|
||||
|
||||
hval = key->w[0];
|
||||
for (i = sizeof(key->w) / sizeof(key->w[0]) - 1; i >= 0; --i) {
|
||||
hval = key->w[i] + (hval << 1);
|
||||
}
|
||||
return hval;
|
||||
/*
|
||||
* The key includes attacker-controlled bits (client /24, qname
|
||||
* hash, qtype). Use the keyed, per-process-randomised hash so
|
||||
* collisions cannot be engineered to overload one bucket chain.
|
||||
*/
|
||||
return isc_hash32(key, sizeof(*key), true);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue