Subject: Re: ACK rate-limiting
To: None <thorpej@wasabisystems.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 04/21/2004 02:02:09
> On Apr 20, 2004, at 9:52 AM, Jun-ichiro itojun Hagino wrote:
> 
> > Module Name:	src
> > Committed By:	itojun
> > Date:		Tue Apr 20 16:52:12 UTC 2004
> >
> > Modified Files:
> > 	src/sys/netinet: tcp_input.c tcp_subr.c tcp_var.h
> >
> > Log Message:
> > - respond to RST by ACK, as suggested in NISCC recommendation
> > - rate-limit ACKs against RSTs and SYNs
> 
> Isn't rate-limiting against SYNs effectively going to rate-limit how 
> quickly you can passively establish a TCP connection?  This doesn't 
> strike me as being very good for e.g. web servers.
> 
> ...or, am I just missing something?

	it's rate-limiting ACKs against SYN (see NISCC vulnerability note)
	to already-established connection.  i did not touch the handshake code.

itojun