| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADVnQy=bR=zWiDwyrzjaJ9qHSeJJ7mAUvoxgQ57AgG-VK5wtaw@mail.gmail.com> Date: Fri, 1 Apr 2016 12:05:20 -0400 From: Neal Cardwell <ncardwell@...gle.com> To: Eric Dumazet <edumazet@...gle.com> Cc: "David S . Miller" <davem@...emloft.net>, netdev <netdev@...r.kernel.org>, Eric Dumazet <eric.dumazet@...il.com>, Tom Herbert <tom@...bertland.com>, Willem de Bruijn <willemb@...gle.com>, Maciej Żenczykowski <maze@...gle.com> Subject: Re: [PATCH v2 net-next 11/11] tcp: rate limit ACK sent by SYN_RECV request sockets On Fri, Apr 1, 2016 at 11:52 AM, Eric Dumazet <edumazet@...gle.com> wrote: > Attackers like to use SYNFLOOD targeting one 5-tuple, as they > hit a single RX queue (and cpu) on the victim. > > If they use random sequence numbers in their SYN, we detect > they do not match the expected window and send back an ACK. > > This patch adds a rate limitation, so that the effect of such > attacks is limited to ingress only. > > We roughly double our ability to absorb such attacks. Thanks, Eric! Acked-by: Neal Cardwell <ncardwell@...gle.com> neal
Powered by blists - more mailing lists