linux/net
Gerrit Renker a94f0f9705 [DCCP]: Rate-limit DCCP-Syncs
This implements a SHOULD from RFC 4340, 7.5.4:
 "To protect against denial-of-service attacks, DCCP implementations SHOULD
  impose a rate limit on DCCP-Syncs sent in response to sequence-invalid packets,
  such as not more than eight DCCP-Syncs per second."

The rate-limit is maintained on a per-socket basis. This is a more stringent
policy than enforcing the rate-limit on a per-source-address basis and
protects against attacks with forged source addresses.

Moreover, the mechanism is deliberately kept simple. In contrast to
xrlim_allow(), bursts of Sync packets in reply to sequence-invalid packets
are not supported.  This foils such attacks where the receipt of a Sync
triggers further sequence-invalid packets. (I have tested this mechanism against
xrlim_allow algorithm for Syncs, permitting bursts just increases the problems.)

In order to keep flexibility, the timeout parameter can be set via sysctl; and
the whole mechanism can even be disabled (which is however not recommended).

The algorithm in this patch has been improved with regard to wrapping issues
thanks to a suggestion by Arnaldo.

Commiter note: Rate limited the step 6 DCCP_WARN too, as it says we're
               sending a sync.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
2007-10-10 16:52:43 -07:00
..
9p 9p: fix bad error path in conversion routines 2007-08-23 10:25:05 -05:00
802 [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
8021q [NET]: Nuke SET_MODULE_OWNER macro. 2007-10-10 16:51:13 -07:00
appletalk [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
atm [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
ax25 [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
bluetooth [BLUETOOTH]: Make hidp_setup_input() return int 2007-10-10 16:52:39 -07:00
bridge [ETHTOOL] Provide default behaviors for a few ethtool sub-ioctls 2007-10-10 16:51:17 -07:00
core [NET]: Dynamically allocate the loopback device, part 1. 2007-10-10 16:52:14 -07:00
dccp [DCCP]: Rate-limit DCCP-Syncs 2007-10-10 16:52:43 -07:00
decnet [NET]: Dynamically allocate the loopback device, part 1. 2007-10-10 16:52:14 -07:00
econet [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
ethernet [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
ieee80211 [IEEE80211]: Fix softmac lockdep reports. 2007-10-10 16:52:22 -07:00
ipv4 [TCP] MIB: Count FRTO's successfully detected spurious RTOs 2007-10-10 16:52:39 -07:00
ipv6 [NET]: Dynamically allocate the loopback device, part 1. 2007-10-10 16:52:14 -07:00
ipx [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
irda [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
iucv [NET]: Make socket creation namespace safe. 2007-10-10 16:49:07 -07:00
key [NET]: Make socket creation namespace safe. 2007-10-10 16:49:07 -07:00
lapb [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
llc [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
mac80211 [MAC80211]: rename ieee80211_cfg.h to cfg.h 2007-10-10 16:52:34 -07:00
netfilter [NETLINK]: Avoid pointer in netlink_run_queue 2007-10-10 16:51:24 -07:00
netlabel [NETLINK]: Introduce nested and byteorder flag to netlink attribute 2007-10-10 16:49:16 -07:00
netlink [NETLINK]: the temp variable name max is ambiguous 2007-10-10 16:51:25 -07:00
netrom [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
packet [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
rfkill [RFKILL]: Add support for ultrawideband 2007-10-10 16:49:23 -07:00
rose [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
rxrpc [NET]: Make socket creation namespace safe. 2007-10-10 16:49:07 -07:00
sched [NET_SCHED]: explict hold dev tx lock 2007-10-10 16:52:15 -07:00
sctp [SCTP]: Tie ADD-IP and AUTH functionality as required by spec. 2007-10-10 16:51:33 -07:00
sunrpc [NET]: Make /proc/net per network namespace 2007-10-10 16:49:06 -07:00
tipc [NET]: Introduce and use print_mac() and DECLARE_MAC_BUF() 2007-10-10 16:51:42 -07:00
unix [NET]: Make socket creation namespace safe. 2007-10-10 16:49:07 -07:00
wanrouter [NET]: Make /proc/net per network namespace 2007-10-10 16:49:06 -07:00
wireless [NL80211]: add netlink interface to cfg80211 2007-10-10 16:52:14 -07:00
x25 [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
xfrm [NET]: Dynamically allocate the loopback device, part 1. 2007-10-10 16:52:14 -07:00
compat.c O_CLOEXEC for SCM_RIGHTS 2007-07-16 09:05:45 -07:00
Kconfig 9p: Reorganization of 9p file system code 2007-07-14 15:13:40 -05:00
Makefile 9p: Reorganization of 9p file system code 2007-07-14 15:13:40 -05:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE