summaryrefslogtreecommitdiffstats
path: root/security/yama
diff options
context:
space:
mode:
authorNeal Cardwell <ncardwell@google.com>2015-02-06 16:04:39 -0500
committerDavid S. Miller <davem@davemloft.net>2015-02-08 01:03:12 -0800
commita9b2c06dbef48ed31cff1764c5ce824829106f4f (patch)
tree7e1dc6d03d3f2ba41a3a867fad3bf59c49665599 /security/yama
parent032ee4236954eb214651cb9bfc1b38ffa8fd7a01 (diff)
downloadlinux-a9b2c06dbef48ed31cff1764c5ce824829106f4f.tar.bz2
tcp: mitigate ACK loops for connections as tcp_request_sock
In the SYN_RECV state, where the TCP connection is represented by tcp_request_sock, we now rate-limit SYNACKs in response to a client's retransmitted SYNs: we do not send a SYNACK in response to client SYN if it has been less than sysctl_tcp_invalid_ratelimit (default 500ms) since we last sent a SYNACK in response to a client's retransmitted SYN. This allows the vast majority of legitimate client connections to proceed unimpeded, even for the most aggressive platforms, iOS and MacOS, which actually retransmit SYNs 1-second intervals for several times in a row. They use SYN RTO timeouts following the progression: 1,1,1,1,1,2,4,8,16,32. Reported-by: Avery Fay <avery@mixpanel.com> Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/yama')
0 files changed, 0 insertions, 0 deletions