Re: tcp vulnerability? haven't seen anything on it here...

From: Florian Weimer
Date: Wed Apr 21 2004 - 16:42:23 EST

"David S. Miller" <davem@xxxxxxxxxx> writes:

> On Wed, 21 Apr 2004 19:27:01 +0200
> "Fabian Uebersax" <fabian.uebersax@xxxxxxxxxxxxxx> wrote:
> Anyone who recommends responding to a RST packet, does not
> understand TCP very well.

This was my thought as well. Surely you don't want to deploy such a
drastic change to the TCP state engine after just so little

In the confined environment of BGP peerings, the risks can be
controlled (RSTs are typically rate-limited on the receiving end
anyway, for example). On the net as a whole, you have to be
compatible with all implementations ever written. If some
implementation replied to the ACK cookie with another RST with an
suitable sequence number, there might be a few issues.

(BTW, TCP connections used for BGP typically have port numbers from a
very small set. So there is no additional randomness from that which
offers any additional protection.)

Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains:,,,,,,
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at