tcp: rate limit ACK sent by SYN_RECV request sockets
authorEric Dumazet <edumazet@google.com>
Fri, 1 Apr 2016 15:52:22 +0000 (08:52 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 5 Apr 2016 02:11:20 +0000 (22:11 -0400)
commit4ce7e93cb3fe87db5b700050172dc41def9834b3
tree0a650d759c08cd171c4074553203b92f85e3fa29
parenta9d6532b567489196dac4ce60c62343e43228759
tcp: rate limit ACK sent by SYN_RECV request sockets

Attackers like to use SYNFLOOD targeting one 5-tuple, as they
hit a single RX queue (and cpu) on the victim.

If they use random sequence numbers in their SYN, we detect
they do not match the expected window and send back an ACK.

This patch adds a rate limitation, so that the effect of such
attacks is limited to ingress only.

We roughly double our ability to absorb such attacks.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Maciej Żenczykowski <maze@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_minisocks.c