On Fri, Apr 1, 2016 at 11:52 AM, Eric Dumazet <eduma...@google.com> wrote: > Attackers like to use SYNFLOOD targeting one 5-tuple, as they > hit a single RX queue (and cpu) on the victim. > > If they use random sequence numbers in their SYN, we detect > they do not match the expected window and send back an ACK. > > This patch adds a rate limitation, so that the effect of such > attacks is limited to ingress only. > > We roughly double our ability to absorb such attacks.
Thanks, Eric! Acked-by: Neal Cardwell <ncardw...@google.com> neal
