tech-net: Re: ACK rate-limiting

Subject: Re: ACK rate-limiting
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Jonathan Stone <jonathan@dsg.stanford.edu>
List: tech-net
Date: 04/20/2004 12:12:00

In message <26DA0A72-92EC-11D8-84A4-000A957650EC@wasabisystems.com>Jason Thorpe writes

>Isn't rate-limiting against SYNs effectively going to rate-limit how 
>quickly you can passively establish a TCP connection?  This doesn't 
>strike me as being very good for e.g. web servers.
>
>...or, am I just missing something?

For a cogent, sensible  discussion, see

    http://www.uniras.gov.uk/vuls/2004/236929/index.htm
    http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

Why band-aid this by applying the ppsratecheck to rate-limit the
outbound ACKs?  Surely this rate-limiting creates the potential to
break the intended challenge-response handling of a real, legit RST?