tcp: implement RFC 5961 3.2
authorEric Dumazet <edumazet@google.com>
Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)
committerDavid S. Miller <davem@davemloft.net>
Tue, 17 Jul 2012 08:36:20 +0000 (01:36 -0700)
commit282f23c6ee343126156dd41218b22ece96d747e3
tree9a306d99ed77d760078d29699edd3007507d709b
parenta858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d
tcp: implement RFC 5961 3.2

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Documentation/networking/ip-sysctl.txt
include/linux/snmp.h
include/net/tcp.h
net/ipv4/proc.c
net/ipv4/sysctl_net_ipv4.c
net/ipv4/tcp_input.c