tcp: rate limit ACK sent by SYN_RECV request sockets (4ce7e93c) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 4ce7e93c authored Apr 01, 2016 by

Eric Dumazet Committed by David S. Miller Apr 04, 2016

tcp: rate limit ACK sent by SYN_RECV request sockets



Attackers like to use SYNFLOOD targeting one 5-tuple, as they
hit a single RX queue (and cpu) on the victim.

If they use random sequence numbers in their SYN, we detect
they do not match the expected window and send back an ACK.

This patch adds a rate limitation, so that the effect of such
attacks is limited to ingress only.

We roughly double our ability to absorb such attacks.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Maciej Żenczykowski <maze@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a9d6532b

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit cd398daa
· Jul 20, 2023

mentioned in commit cd398daa

mentioned in commit cd398daabeb807ba8e2083f147a5fa4f63cc2ef4

Toggle commit list

Please register or to comment