Date: Mon, 3 Jan 2005 23:49:24 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: silby@silby.com Cc: net@FreeBSD.org Subject: Re: Fixing "Slipping in the window" before 4.11-release Message-ID: <200501040749.j047nOKC003234@gw.catspoiler.org> In-Reply-To: <20050104002732.D68869@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4 Jan, Mike Silbersack wrote: > > On Mon, 3 Jan 2005, Don Lewis wrote: >> I'm not sure that it makes sense to rate limit the ACKs in this special >> case. If an attacker has enough information to trigger an ACK response >> flood from the hardened stack, he could still produce a flood by turning >> off the SYN bit. A general way of rate limiting ACKs triggered by the >> reception of out of window data could be a good idea, but this would >> have to be done very carefully to avoid breaking the algorithms that >> look at ACKs to sense network congestion. > > I probably agree here... but I want to just fix this one problem for 4.11, > and I don't want to touch the rest of the TCP stack whatsoever. If > integrating this case with others in rate limiting makes sense, we could > do that in 6.x and 5.x, but I don't want to risk breaking 4.x by rewriting > dropafterack at this point in time. Agreed. Tweaking the dropafterack stuff would need to be thoroughly discussed, and it would need to soak for quite a while in 6.x to make sure that it didn't cause an interoperability problems.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501040749.j047nOKC003234>