On 4 Jan, Mike Silbersack wrote: > > On Mon, 3 Jan 2005, Don Lewis wrote:
>> I'm not sure that it makes sense to rate limit the ACKs in this special >> case. If an attacker has enough information to trigger an ACK response >> flood from the hardened stack, he could still produce a flood by turning >> off the SYN bit. A general way of rate limiting ACKs triggered by the >> reception of out of window data could be a good idea, but this would >> have to be done very carefully to avoid breaking the algorithms that >> look at ACKs to sense network congestion. > > I probably agree here... but I want to just fix this one problem for 4.11, > and I don't want to touch the rest of the TCP stack whatsoever. If > integrating this case with others in rate limiting makes sense, we could > do that in 6.x and 5.x, but I don't want to risk breaking 4.x by rewriting > dropafterack at this point in time. Agreed. Tweaking the dropafterack stuff would need to be thoroughly discussed, and it would need to soak for quite a while in 6.x to make sure that it didn't cause an interoperability problems. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
