Page MenuHomeFreeBSD
Differential D11929

Limit the rate at which we will send ACKs in response to out-of-window ACKs
AbandonedPublic
Actions

Authored by jtl on Aug 9 2017, 1:10 AM.
Tags
None
Referenced Files
F110427420: D11929.id.diff
Tue, Feb 18, 7:58 AM
Unknown Object (File)
Sun, Feb 2, 9:08 PM
Unknown Object (File)
Sun, Jan 26, 5:30 AM
Unknown Object (File)
Jan 18 2025, 3:45 AM
Unknown Object (File)
Jan 1 2025, 7:39 AM
Unknown Object (File)
Dec 31 2024, 7:14 AM
Unknown Object (File)
Dec 30 2024, 7:20 AM
Unknown Object (File)
Dec 29 2024, 8:11 AM
View All 59 Files
Subscribers
imp
j-nitrology.com
russor_ruka.org

Details

Reviewers
rrs
Group Reviewers
transport
Summary

When we receive an ACK from a TCP peer and the ACK acknowledges data that we have not sent yet, RFC 793 indicates that we should respond with an ACK indicating our current sequence number and acknowledgment number.

When we receive an ACK for data we have not yet sent, this likely indicates either a spoofed packet or an unsynchronized connection. In the latter case, RFC 793 provides some examples of how sending an ACK can help the remote side determine the connection is unsynchronized, leading it to close the connection. So, it probably makes sense to continue to send ACKs in this case.

However, these ACKs often will *not* be useful. And, in some extreme cases, we can even end up in a cyclical pattern of connections that continually fail at a high rate. Bug 184680 documents one such case which involves sessions opened with a SYN cookie.

Therefore, it makes sense to send these responses, but with a rate limit. This will provide us with the benefit of occasionally helping to quickly clean up an unsynchronized connection, but will also provide some protection against the case where sending a ACK merely feeds a cycle of failing connections (or, in any case, is not helpful).

PR: 184680

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

jtl created this revision.Aug 9 2017, 1:10 AM
Herald added a subscriber: imp. · View Herald TranscriptAug 9 2017, 1:10 AM
rrs accepted this revision.Aug 9 2017, 6:36 AM
This revision is now accepted and ready to land.Aug 9 2017, 6:36 AM
j-nitrology.com added a subscriber: j-nitrology.com.Aug 15 2017, 10:06 PM
russor_ruka.org added a subscriber: russor_ruka.org.Aug 23 2017, 4:59 PM

In case my comment on the bugzilla issue wasn't seen, I tested this patch (manually applied to 10.3), and it worked as expected. Thanks!

jtl abandoned this revision.Mar 20 2018, 4:41 PM

This is not a good solution to the problem. See this paper for an explanation of why not.

We will need to create a per-connection limit in order to do this safely.

Revision Contents
Changeset List

PathSize
sys/
netinet/
3 lines
3 lines
21 lines

Diff 31787

View Options

sys/netinet/icmp_var.h

Loading...
View Options

sys/netinet/ip_icmp.c

Loading...
View Options

sys/netinet/tcp_input.c

Loading...