Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Apr 2004 18:05:45 +0200
From:      Andre Oppermann <andre@freebsd.org>
To:        Alan Evans <evans.alan@sbcglobal.net>
Cc:        net@freebsd.org
Subject:   Re: TCP vulnerability
Message-ID:  <408A9059.B31E720A@freebsd.org>
References:  <20040424154328.24028.qmail@web80105.mail.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Alan Evans wrote:
> 
> I agree, but what's most important is to maintain
> backward compatibility. If one breaks it, it's a DoS
> is some sense. I also saw some postings on NetBSD
> which does ratelimiting of ACKs (in response to SYNs),
> and ACKs RST. IMHO, the latter is bogus - why ACK a
> RST? And, the former may impose an artificial limit
> of some sort.

Dunno about the rate limiting.  The ACK of the RST is recommended
in the paper you have referenced but only when sequence number of
the segment with the RST is not the next expected but within the
window.  Makes sense to reduce the chances of an successful blind
reset from 2^32/win to 2^32.  With large windows definitely a win
by an order of an magnitude.

-- 
Andre



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?408A9059.B31E720A>