On Thu, 11 Dec 2008, Gavin McCullagh wrote:
> I'd be curious to know what attack is being defended against and what it's
> doing though. Is it just dropping the connection?
Probably no specific attack. Firewall writers consider the "be
liberal" part of Postel's principle as antithetical to security (e.g.
even the BSD people managed to screw up with the CWND thing a few
years ago). Even when firewalls ship with these insane "Validate to
the max!" options disabled, administrators often go enable them -
cause if it was a bad idea, then it wouldn't be there as an option,
now would it?
> I doubt Brian's issue has much to do with that attack, it just reminded me
> of it a little.
Sure. Just giving Brian ammo to respond with if the admin happens to
mention bandwidth-consuming attacks ;).
> Some debate has gone on over how best to deal with it.
Very interesting, thanks.
It seems this is more a fundamental characteristic of
request/response traffic patterns on the internet though, rather than
a problem specifically in TCP..
I.e. you can fix the more pathological aspects of this infinite CWND
increase, but still the general answer is to drop packets on routers
as cleverly as reasonably possible.
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Publishing a volume of verse is like dropping a rose petal down the
Grand Canyon and waiting for the echo.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!