a94f0f9705
This implements a SHOULD from RFC 4340, 7.5.4: "To protect against denial-of-service attacks, DCCP implementations SHOULD impose a rate limit on DCCP-Syncs sent in response to sequence-invalid packets, such as not more than eight DCCP-Syncs per second." The rate-limit is maintained on a per-socket basis. This is a more stringent policy than enforcing the rate-limit on a per-source-address basis and protects against attacks with forged source addresses. Moreover, the mechanism is deliberately kept simple. In contrast to xrlim_allow(), bursts of Sync packets in reply to sequence-invalid packets are not supported. This foils such attacks where the receipt of a Sync triggers further sequence-invalid packets. (I have tested this mechanism against xrlim_allow algorithm for Syncs, permitting bursts just increases the problems.) In order to keep flexibility, the timeout parameter can be set via sysctl; and the whole mechanism can even be disabled (which is however not recommended). The algorithm in this patch has been improved with regard to wrapping issues thanks to a suggestion by Arnaldo. Commiter note: Rate limited the step 6 DCCP_WARN too, as it says we're sending a sync. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> |
||
---|---|---|
.. | ||
acpi | ||
asm-alpha | ||
asm-arm | ||
asm-avr32 | ||
asm-blackfin | ||
asm-cris | ||
asm-frv | ||
asm-generic | ||
asm-h8300 | ||
asm-i386 | ||
asm-ia64 | ||
asm-m32r | ||
asm-m68k | ||
asm-m68knommu | ||
asm-mips | ||
asm-parisc | ||
asm-powerpc | ||
asm-ppc | ||
asm-s390 | ||
asm-sh | ||
asm-sh64 | ||
asm-sparc | ||
asm-sparc64 | ||
asm-um | ||
asm-v850 | ||
asm-x86_64 | ||
asm-xtensa | ||
crypto | ||
keys | ||
linux | ||
math-emu | ||
media | ||
mtd | ||
net | ||
pcmcia | ||
rdma | ||
rxrpc | ||
scsi | ||
sound | ||
video | ||
xen | ||
Kbuild |