From: Pau Espin Pedrol <pau.es...@tessares.net> Date: Tue, 7 Jun 2016 16:30:34 +0200
> RFC 5961 advises to only accept RST packets containing a seq number > matching the next expected seq number instead of the whole receive > window in order to avoid spoofing attacks. > > However, this situation is not optimal in the case SACK is in use at the > time the RST is sent. I recently run into a scenario in which packet > losses were high while uploading data to a server, and userspace was > willing to frequently terminate connections by sending a RST. In > this case, the ACK sent on the receiver side (rcv_nxt) is frozen waiting > for a lost packet retransmission and SACK blocks are used to let the > client continue uploading data. At some point later on, the client sends > the RST (snd_nxt), which matches the next expected seq number of the > right-most SACK block on the receiver side which is going forward > receiving data. > > In this scenario, as RFC 5961 defines, the RST SEQ doesn't match the > frozen main ACK at receiver side and thus gets dropped and a challenge > ACK is sent, which gets usually lost due to network conditions. The main > consequence is that the connection stays alive for a while even if it > made sense to accept the RST. This can get really bad if lots of > connections like this one are created in few seconds, allocating all the > resources of the server easily. > > For security reasons, not all SACK blocks are checked (there could be a > big amount of SACK blocks => acceptable SEQ numbers). Furthermore, it > wouldn't make sense to check for RST in blocks other than the right-most > received one because the sender is not expected to be sending new data > after the RST. For simplicity, only up to the 4 most recently updated > SACK blocks (selective_acks[4] field) are compared to find the > right-most block, as usually those are the ones with bigger probability > to contain it. > > This patch was tested in a 3.18 kernel and probed to improve the > situation in the scenario described above. > > Signed-off-by: Pau Espin Pedrol <pau.es...@tessares.net> Applied.
