From owner-freebsd-net@FreeBSD.ORG Thu Jan 6 20:46:45 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1190516A4D1 for ; Thu, 6 Jan 2005 20:46:45 +0000 (GMT) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 63B4A43D1F for ; Thu, 6 Jan 2005 20:46:44 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 40214 invoked from network); 6 Jan 2005 20:46:43 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 6 Jan 2005 20:46:43 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 6 Jan 2005 14:46:42 -0600 (CST) From: Mike Silbersack To: Mark Allman In-Reply-To: <20050105151352.87D2A77B0CC@guns.icir.org> Message-ID: <20050106143727.S18425@odysseus.silby.com> References: <20050105151352.87D2A77B0CC@guns.icir.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: rrs@cisco.com cc: net@freebsd.org Subject: Re: Fixing "Slipping in the window" before 4.11-release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jan 2005 20:46:45 -0000 On Wed, 5 Jan 2005, Mark Allman wrote: > I ran this idea by Randall Stewart who has done a bunch of thinking on > this topic (and, helped produce one of the current internet-drafts on > the topic). He swayed me that my initial hit (above) might not be quite > right. Below is Randall's response to my forward of Mike's note > (forwarded with permission). This is a case that had not occurred to me > and leaves me thinking maybe ignoring SYNs is not quite the right > approach. However, I think there could be times when ignoring SYNs > might be fine. E.g., if the connection is moving right along and there > are other packets being transmitted and ACKed and we see a SYN that it > should be ignored. > > FWIW. > > allman Don convinced me of the same thing, using similar reasoning. I think that you're right that "there could be times when ignoring SYNs might be fine." I think that we track how long a connection has been idle; my plan is to only respond to SYNs if the connection has been idle for more than 30 seconds or more. That should ensure that we handle the client crashing case properly (even if the client reboots instantly, it'll keep retransmitting SYNs for more than 30 sceonds), but also ensure that we do not let a forged SYN flood prod us into sending unnecessary ACKs. I'll try to get this coded up this weekend. (Yes, rate limiting ACKs to these types of SYNs would also help, but it would be nice to not send any unnecessary packets.) Thanks for Randall's response, it provided some useful insight into the situation. Mike "Silby" Silbersack