Fixing "Slipping in the window" before 4.11-release
Don Lewis
truckman at FreeBSD.org
Mon Jan 3 23:49:32 PST 2005
On 4 Jan, Mike Silbersack wrote:
>
> On Mon, 3 Jan 2005, Don Lewis wrote:
>> I'm not sure that it makes sense to rate limit the ACKs in this special
>> case. If an attacker has enough information to trigger an ACK response
>> flood from the hardened stack, he could still produce a flood by turning
>> off the SYN bit. A general way of rate limiting ACKs triggered by the
>> reception of out of window data could be a good idea, but this would
>> have to be done very carefully to avoid breaking the algorithms that
>> look at ACKs to sense network congestion.
>
> I probably agree here... but I want to just fix this one problem for 4.11,
> and I don't want to touch the rest of the TCP stack whatsoever. If
> integrating this case with others in rate limiting makes sense, we could
> do that in 6.x and 5.x, but I don't want to risk breaking 4.x by rewriting
> dropafterack at this point in time.
Agreed. Tweaking the dropafterack stuff would need to be thoroughly
discussed, and it would need to soak for quite a while in 6.x to make
sure that it didn't cause an interoperability problems.
More information about the freebsd-net
mailing list