From: Neal Cardwell <ncardwell@google.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
"Eric Dumazet" <eric.dumazet@gmail.com>,
"Tom Herbert" <tom@herbertland.com>,
"Willem de Bruijn" <willemb@google.com>,
"Maciej Żenczykowski" <maze@google.com>
Subject: Re: [PATCH v2 net-next 11/11] tcp: rate limit ACK sent by SYN_RECV request sockets
Date: Fri, 1 Apr 2016 12:05:20 -0400 [thread overview]
Message-ID: <CADVnQy=bR=zWiDwyrzjaJ9qHSeJJ7mAUvoxgQ57AgG-VK5wtaw@mail.gmail.com> (raw)
In-Reply-To: <1459525942-30399-12-git-send-email-edumazet@google.com>
On Fri, Apr 1, 2016 at 11:52 AM, Eric Dumazet <edumazet@google.com> wrote:
> Attackers like to use SYNFLOOD targeting one 5-tuple, as they
> hit a single RX queue (and cpu) on the victim.
>
> If they use random sequence numbers in their SYN, we detect
> they do not match the expected window and send back an ACK.
>
> This patch adds a rate limitation, so that the effect of such
> attacks is limited to ingress only.
>
> We roughly double our ability to absorb such attacks.
Thanks, Eric!
Acked-by: Neal Cardwell <ncardwell@google.com>
neal
next prev parent reply other threads:[~2016-04-01 16:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-01 15:52 [PATCH v2 net-next 00/11] net: various udp/tcp changes Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 01/11] net: add SOCK_RCU_FREE socket flag Eric Dumazet
2016-04-02 16:35 ` Tom Herbert
2016-04-01 15:52 ` [PATCH v2 net-next 02/11] udp: no longer use SLAB_DESTROY_BY_RCU Eric Dumazet
2016-04-02 16:34 ` Tom Herbert
2016-04-01 15:52 ` [PATCH v2 net-next 03/11] tcp/dccp: remove BH disable/enable in lookup Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 04/11] tcp/dccp: use rcu locking in inet_diag_find_one_icsk() Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 05/11] inet: reqsk_alloc() needs to take care of dead listeners Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 06/11] tcp/dccp: do not touch listener sk_refcnt under synflood Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 07/11] sock_diag: add SK_MEMINFO_DROPS Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 08/11] tcp: increment sk_drops for dropped rx packets Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 09/11] tcp: increment sk_drops for listeners Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 10/11] ipv4: tcp: set SOCK_USE_WRITE_QUEUE for ip_send_unicast_reply() Eric Dumazet
2016-04-01 15:52 ` [PATCH v2 net-next 11/11] tcp: rate limit ACK sent by SYN_RECV request sockets Eric Dumazet
2016-04-01 16:05 ` Neal Cardwell [this message]
2016-04-05 2:12 ` [PATCH v2 net-next 00/11] net: various udp/tcp changes David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADVnQy=bR=zWiDwyrzjaJ9qHSeJJ7mAUvoxgQ57AgG-VK5wtaw@mail.gmail.com' \
--to=ncardwell@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=maze@google.com \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.