From: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
To: dccp@vger.kernel.org
Subject: Re: [PATCH 4/5]: Rate-limit DCCP-Syncs
Date: Sat, 22 Sep 2007 20:16:07 +0000 [thread overview]
Message-ID: <20070922201607.GD4887@ghostprotocols.net> (raw)
In-Reply-To: <200704091058.57313@strip-the-willow>
Em Wed, Jun 20, 2007 at 10:56:03AM +0100, Gerrit Renker escreveu:
> [DCCP]: Rate-limit DCCP-Syncs
>
> This implements a SHOULD from RFC 4340, 7.5.4:
> "To protect against denial-of-service attacks, DCCP implementations SHOULD
> impose a rate limit on DCCP-Syncs sent in response to sequence-invalid packets,
> such as not more than eight DCCP-Syncs per second."
>
> The rate-limit is maintained on a per-socket basis. This is a more stringent
> policy than enforcing the rate-limit on a per-source-address basis and
> protects against attacks with forged source addresses.
>
> Moreover, the mechanism is deliberately kept simple. In contrast to
> xrlim_allow(), bursts of Sync packets in reply to sequence-invalid packets
> are not supported. This foils such attacks where the receipt of a Sync
> triggers further sequence-invalid packets. (I have tested this mechanism against
> xrlim_allow algorithm for Syncs, permitting bursts just increases the problems.)
>
> In order to keep flexibility, the timeout parameter can be set via sysctl; and
> the whole mechanism can even be disabled (which is however not recommended).
>
> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Algorigthm is fine, just use time_after when comparing jiffies based
timestamps, here:
> */
> - if (dh->dccph_type = DCCP_PKT_RESET)
> - seqno = dp->dccps_gsr;
> - dccp_send_sync(sk, seqno, DCCP_PKT_SYNC);
> + if (now - dp->dccps_rate_last >= sysctl_dccp_sync_ratelimit) {
> + dp->dccps_rate_last = now;
> +
Take a look at net/ipv4/syncookies.c:
struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
struct ip_options *opt)
<SNIP>
if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) ||
(mss = cookie_check(skb, cookie)) = 0) {
NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESFAILED);
goto out;
}
<SNIP>
Please resubmit with this fix and I'm ok merging it,
Thanks,
- Arnaldo
prev parent reply other threads:[~2007-09-22 20:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-09 9:58 [PATCH 4/5]: Rate-limit DCCP-Syncs Gerrit Renker
2007-04-11 2:55 ` Ian McDonald
2007-04-11 9:13 ` Gerrit Renker
2007-04-11 9:22 ` Patrick McHardy
2007-04-11 9:35 ` Gerrit Renker
2007-06-20 9:56 ` Gerrit Renker
2007-07-01 4:01 ` Ian McDonald
2007-09-22 20:16 ` Arnaldo Carvalho de Melo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070922201607.GD4887@ghostprotocols.net \
--to=acme@ghostprotocols.net \
--cc=dccp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.