Date: Mon, 28 Oct 2002 19:10:03 -0800 (PST) From: kenji@k2r.org To: freebsd-bugs@FreeBSD.org Subject: Re: misc/39787: T/TCP support Message-ID: <200210290310.g9T3A30F003625@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/39787; it has been noted by GNATS. From: kenji@k2r.org To: freebsd-gnats-submit@FreeBSD.org, dhuang@qobra.com Cc: kenji@k2r.org Subject: Re: misc/39787: T/TCP support Date: 29 Oct 2002 12:00:17 +0900 The reason of this behavior is documented in /usr/src/sys/netinet/tcp_syncache.c (I quote from the 4.6.2-RELEASE version, src/sys/netinet/tcp_syncache.c,v 1.5.2.6) as follows, just before the function syncache_add(): - quote - * IMPORTANT NOTE: We do _NOT_ ACK data that might accompany the SYN. * Doing so would require that we hold onto the data and deliver it * to the application. However, if we are the target of a SYN-flood * DoS attack, an attacker could send data which would eventually * consume all available buffer space if it were ACKed. By not ACKing * the data, we avoid this DoS scenario. - unquote - So I'd rather consider this as an *intentional feature* of FreeBSD to block SYN-flooding. // Kenji Rikitake <kenji.rikitake@acm.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210290310.g9T3A30F003625>