Currently we're using some threading-based socket server thing. Now this isn't a direct issue, however, when we're analyzing a ransomware which modified a few thousand files, this effectively means that the host is spawning a few thousand threads to handle all sockets; one per dropped file.
This issue targets a reimplementation of the ResultServer based on epoll(7) so that only two threads are required: one to accept new connections and one to pass along all traffic. Naturally this requires the callback functions for the traffic thread to return in realtime (i.e., if it takes a second to handle one incoming buffer, all the other sockets will be on hold as well), but as the code is quite literally just writing away socket buffers to files, this shouldn't pose as an actual issue.
XayOn
commented
8 years ago
Currently we're using some threading-based socket server thing. Now this isn't a direct issue, however, when we're analyzing a ransomware which modified a few thousand files, this effectively means that the host is spawning a few thousand threads to handle all sockets; one per dropped file.
This issue targets a reimplementation of the
ResultServerbased onepoll(7)so that only two threads are required: one to accept new connections and one to pass along all traffic. Naturally this requires the callback functions for the traffic thread to return in realtime (i.e., if it takes a second to handle one incoming buffer, all the other sockets will be on hold as well), but as the code is quite literally just writing away socket buffers to files, this shouldn't pose as an actual issue.