Subject: Re: ACK rate-limiting
To: None <thorpej@wasabisystems.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 04/21/2004 02:02:09
> On Apr 20, 2004, at 9:52 AM, Jun-ichiro itojun Hagino wrote:
>
> > Module Name: src
> > Committed By: itojun
> > Date: Tue Apr 20 16:52:12 UTC 2004
> >
> > Modified Files:
> > src/sys/netinet: tcp_input.c tcp_subr.c tcp_var.h
> >
> > Log Message:
> > - respond to RST by ACK, as suggested in NISCC recommendation
> > - rate-limit ACKs against RSTs and SYNs
>
> Isn't rate-limiting against SYNs effectively going to rate-limit how
> quickly you can passively establish a TCP connection? This doesn't
> strike me as being very good for e.g. web servers.
>
> ...or, am I just missing something?
it's rate-limiting ACKs against SYN (see NISCC vulnerability note)
to already-established connection. i did not touch the handshake code.
itojun