From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Re: DSCP values in TCP handshake Date: Mon, 18 Apr 2011 21:16:37 -0700 Message-ID: <20110418211637.57f1cfb8@nehalam> References: <1303135512.3137.335.camel@edumazet-laptop> <20110418083827.05dd2d43@nehalam> <4DAC8A8A.1010401@cox.net> <20110418144908.55967b06@nehalam> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Joe Buehler , Eric Dumazet , netdev@vger.kernel.org To: Mikael Abrahamsson Return-path: Received: from mail.vyatta.com ([76.74.103.46]:37616 "EHLO mail.vyatta.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750958Ab1DSEQk (ORCPT ); Tue, 19 Apr 2011 00:16:40 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Tue, 19 Apr 2011 05:50:34 +0200 (CEST) Mikael Abrahamsson wrote: > On Mon, 18 Apr 2011, Stephen Hemminger wrote: > > > If the DSCP bits are reflected, then it could allow for even better SYN > > flood attack. Attacker could maliciously set DSCP to elevate priority > > processing of his bogus SYN packets and also cause SYN-ACK on reverse > > path to also take priority. > > Incoming, it's already too late. Outgoing, yes, that might be a problem, > but if you have a QoS enabled network then you might as well solve that in > the network, not in the host. > > Does Linux internally look at DSCP when deciding what SYNs to handle > first? If not, I think the above reasoning is misdirected. Linux does not look at DSCP of incoming packets (there is no queue). Of course, you can do anything with qdisc, and iptables.