diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-07-17 10:13:05 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-01-11 09:07:14 -0800 |
| commit | 34fb350281ced2a72707a5c0064f69992d440edb (patch) | |
| tree | 91f806c64e65601adf09564a83b4c44f4db080be /include/linux | |
| parent | c87b45599a4e0d8741abeb85d1d8d5f0c1fb13be (diff) | |
| download | linux-3.10-34fb350281ced2a72707a5c0064f69992d440edb.tar.gz linux-3.10-34fb350281ced2a72707a5c0064f69992d440edb.tar.bz2 linux-3.10-34fb350281ced2a72707a5c0064f69992d440edb.zip | |
tcp: implement RFC 5961 3.2
[ Upstream commit 282f23c6ee343126156dd41218b22ece96d747e3 ]
Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.
Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.
Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.
Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/snmp.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 2e68f5ba038..594638ec5ac 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h @@ -234,6 +234,7 @@ enum LINUX_MIB_TCPREQQFULLDROP, /* TCPReqQFullDrop */ LINUX_MIB_TCPRETRANSFAIL, /* TCPRetransFail */ LINUX_MIB_TCPRCVCOALESCE, /* TCPRcvCoalesce */ + LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */ __LINUX_MIB_MAX }; |