TCP vulnerability

[Andre Oppermann]

Alan Evans wrote:
> 
> I agree, but what's most important is to maintain
> backward compatibility. If one breaks it, it's a DoS
> is some sense. I also saw some postings on NetBSD
> which does ratelimiting of ACKs (in response to SYNs),
> and ACKs RST. IMHO, the latter is bogus - why ACK a
> RST? And, the former may impose an artificial limit
> of some sort.

Dunno about the rate limiting.  The ACK of the RST is recommended
in the paper you have referenced but only when sequence number of
the segment with the RST is not the next expected but within the
window.  Makes sense to reduce the chances of an successful blind
reset from 2^32/win to 2^32.  With large windows definitely a win
by an order of an magnitude.

-- 
Andre