On 10 August 2016 at 06:44, Rick Walker <walker@xxxxxxxxxxxxxx> wrote: > >> 1. Open /etc/sysctl.conf, append a command >> "/net.ipv4/tcp_challenge_ack_limit = 999999999". > > I'm very skeptical. The default on my stock machine is 100. You can check > your own with: > > sysctl -A | grep tcp | grep limit > > In the absence of better documentation, I'm guessing that opening the > ack limit to several million is essentially setting your machine up to > unlimited hack attack. > " An implementation SHOULD include an ACK throttling mechanism to be conservative. While we have not encountered a case where the lack of ACK throttling can be exploited, as a fail-safe mechanism we recommend its use. An implementation may take an excessive number of invocations of the throttling mechanism as an indication that network conditions are unusual or hostile." https://tools.ietf.org/html/rfc5961 I'm not an expert on this, but it appears that RFC5961 describes the mitigation of this type of attack and the ACK rate limiting is simply a SHOULD for conservation of resources. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
