diff options
author | silby <silby@FreeBSD.org> | 2004-04-26 02:56:31 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2004-04-26 02:56:31 +0000 |
commit | 051b00be736964ed5c26256aa18bbe6c68ff7922 (patch) | |
tree | 8547bca0216e4f6983cf0489c681b37bfc557456 /sys/netinet/tcp_var.h | |
parent | 312f49a25bec22bb547a39de59b639f0967847a5 (diff) | |
download | FreeBSD-src-051b00be736964ed5c26256aa18bbe6c68ff7922.zip FreeBSD-src-051b00be736964ed5c26256aa18bbe6c68ff7922.tar.gz |
Tighten up reset handling in order to make reset attacks as difficult as
possible while maintaining compatibility with the widest range of TCP stacks.
The algorithm is as follows:
---
For connections in the ESTABLISHED state, only resets with
sequence numbers exactly matching last_ack_sent will cause a reset,
all other segments will be silently dropped.
For connections in all other states, a reset anywhere in the window
will cause the connection to be reset. All other segments will be
silently dropped.
---
The necessity of accepting all in-window resets was discovered
by jayanth and jlemon, both of whom have seen TCP stacks that
will respond to FIN-ACK packets with resets not meeting the
strict last_ack_sent check.
Idea by: Darren Reed
Reviewed by: truckman, jlemon, others(?)
Diffstat (limited to 'sys/netinet/tcp_var.h')
-rw-r--r-- | sys/netinet/tcp_var.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 86e27f0..8c42b4d 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -414,6 +414,7 @@ struct tcpstat { u_long tcps_badsyn; /* bogus SYN, e.g. premature ACK */ u_long tcps_mturesent; /* resends due to MTU discovery */ u_long tcps_listendrop; /* listen queue overflows */ + u_long tcps_badrst; /* ignored RSTs in the window */ u_long tcps_sc_added; /* entry added to syncache */ u_long tcps_sc_retransmitted; /* syncache entry was retransmitted */ |