| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110418211637.57f1cfb8@nehalam> Date: Mon, 18 Apr 2011 21:16:37 -0700 From: Stephen Hemminger <shemminger@...tta.com> To: Mikael Abrahamsson <swmike@....pp.se> Cc: Joe Buehler <aspam@....net>, Eric Dumazet <eric.dumazet@...il.com>, netdev@...r.kernel.org Subject: Re: DSCP values in TCP handshake On Tue, 19 Apr 2011 05:50:34 +0200 (CEST) Mikael Abrahamsson <swmike@....pp.se> wrote: > On Mon, 18 Apr 2011, Stephen Hemminger wrote: > > > If the DSCP bits are reflected, then it could allow for even better SYN > > flood attack. Attacker could maliciously set DSCP to elevate priority > > processing of his bogus SYN packets and also cause SYN-ACK on reverse > > path to also take priority. > > Incoming, it's already too late. Outgoing, yes, that might be a problem, > but if you have a QoS enabled network then you might as well solve that in > the network, not in the host. > > Does Linux internally look at DSCP when deciding what SYNs to handle > first? If not, I think the above reasoning is misdirected. Linux does not look at DSCP of incoming packets (there is no queue). Of course, you can do anything with qdisc, and iptables. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists