tcp: implement RFC 5961 3.2 Implement the RFC 5691 mitigation against Blind Reset attack using RST bit. Idea is to validate incoming RST sequence, to match RCV.NXT value, instead of previouly accepted window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND) If sequence is in window but not an exact match, send a "challenge ACK", so that the other part can resend an RST with the appropriate sequence. Add a new sysctl, tcp_challenge_ack_limit, to limit number of challenge ACK sent per second. Add a new SNMP counter to count number of challenge acks sent. (netstat -s | grep TCPChallengeACK) Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kiran Kumar Kella <kkiran@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 282f23c6ee343126156dd41218b22ece96d747e3 [log] [tgz]
author: Eric Dumazet <edumazet@google.com> Tue Jul 17 10:13:05 2012 +0200
committer: David S. Miller <davem@davemloft.net> Tue Jul 17 01:36:20 2012 -0700
tree: 9a306d99ed77d760078d29699edd3007507d709b
parent: a858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d [diff] [blame]
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 439984b..85c5090 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h

@@ -254,6 +254,7 @@
 extern int sysctl_tcp_thin_dupack;
 extern int sysctl_tcp_early_retrans;
 extern int sysctl_tcp_limit_output_bytes;
+extern int sysctl_tcp_challenge_ack_limit;
 
 extern atomic_long_t tcp_memory_allocated;
 extern struct percpu_counter tcp_sockets_allocated;
commit	282f23c6ee343126156dd41218b22ece96d747e3	[log] [tgz]
author	Eric Dumazet <edumazet@google.com>	Tue Jul 17 10:13:05 2012 +0200
committer	David S. Miller <davem@davemloft.net>	Tue Jul 17 01:36:20 2012 -0700
tree	9a306d99ed77d760078d29699edd3007507d709b
parent	a858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d [diff] [blame]