Date: Sat, 24 Apr 2004 18:05:45 +0200 From: Andre Oppermann <andre@freebsd.org> To: Alan Evans <evans.alan@sbcglobal.net> Cc: net@freebsd.org Subject: Re: TCP vulnerability Message-ID: <408A9059.B31E720A@freebsd.org> References: <20040424154328.24028.qmail@web80105.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alan Evans wrote: > > I agree, but what's most important is to maintain > backward compatibility. If one breaks it, it's a DoS > is some sense. I also saw some postings on NetBSD > which does ratelimiting of ACKs (in response to SYNs), > and ACKs RST. IMHO, the latter is bogus - why ACK a > RST? And, the former may impose an artificial limit > of some sort. Dunno about the rate limiting. The ACK of the RST is recommended in the paper you have referenced but only when sequence number of the segment with the RST is not the next expected but within the window. Makes sense to reduce the chances of an successful blind reset from 2^32/win to 2^32. With large windows definitely a win by an order of an magnitude. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?408A9059.B31E720A>