[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fixing "Slipping in the window" before 4.11-release

Subject: Fixing "Slipping in the window" before 4.11-release
From: truckman at FreeBSD.org (Don Lewis)
Date: Tue Jan 4 07:49:36 2005

On  4 Jan, Mike Silbersack wrote:
> 
> On Mon, 3 Jan 2005, Don Lewis wrote:

>> I'm not sure that it makes sense to rate limit the ACKs in this special
>> case.  If an attacker has enough information to trigger an ACK response
>> flood from the hardened stack, he could still produce a flood by turning
>> off the SYN bit.  A general way of rate limiting ACKs triggered by the
>> reception of out of window data could be a good idea, but this would
>> have to be done very carefully to avoid breaking the algorithms that
>> look at ACKs to sense network congestion.
> 
> I probably agree here... but I want to just fix this one problem for 4.11, 
> and I don't want to touch the rest of the TCP stack whatsoever.  If 
> integrating this case with others in rate limiting makes sense, we could 
> do that in 6.x and 5.x, but I don't want to risk breaking 4.x by rewriting 
> dropafterack at this point in time.

Agreed.  Tweaking the dropafterack stuff would need to be thoroughly
discussed, and it would need to soak for quite a while in 6.x to make
sure that it didn't cause an interoperability problems.

References:
- Fixing "Slipping in the window" before 4.11-release
  - From: Mike Silbersack

Prev by Date: Fixing "Slipping in the window" before 4.11-release
Next by Date: User process starvation under heavy network traffic in FreeBSD 5.3
Previous by thread: Fixing "Slipping in the window" before 4.11-release
Next by thread: Current problem reports assigned to you
Index(es):
- Date
- Thread

Visit your host, monkey.org