I suspect that this is to safeguard against certain types of resource-starving DOS attacks. TCP window scaling is used to help performance with Long Fat Networks, because normal tcp windows aren't large enough to get maximum efficiency out of, for instance, a 2MB satellite link. All it does is add a multiplier to the tcp window size. However, since a host may have to retransmit everything that hasn't been ack'd, a really large window means that host has to keep a buffer the size of the window allocated. Someone malicious could use this to a) establish a connection. b) open the tcp window *really* wide. c) request something large enough to fill that window d) not ack any of that data e) lather,rinse,repeat until f) your host runs out of memory and can't accept any more connections.
I believe something similar could be done with sack. A host could selectively *not* ack packets interspersed within packets that it *does* ack. I believe this wouldn't be quite so bad, as a host should only retain un-ack'd packets of total size of its window size, no matter if those packets are contiguous or not. But it may be that the tcp stack keeps all packets from the last non-ack'd packet to the present in buffer. I honestly don't know. The title of that really should be "securing or optimizing linux." Sack is definitely usefull and performance-enhancing. It may open you up to certain kinds of DOS. Window scaling is a huge help *if* you ever expect to have connections over LFN's. But it could be used for a DOS. Choose your poison, which is more important to you? -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Maciej Soltysiak > Sent: Monday, March 25, 2002 9:32 AM > To: [EMAIL PROTECTED] > Subject: tcp/ip parameters question. > > > Hello, > > In 'securing and optimizing linux', the author suggests to turn off: > tcp_window_scaling > tcp_sack > > Unfortunatelly he does not say why. > it's here: > http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Ed ition-v1.3/chap6sec75.html Any cons for sack and windows scaling? AFAIK Selective ACK is a neat feature to allow us to ACK data in a more elastic way. Say ACK all data to X, and some from Y to Z. I am not sure about window scaling, maybe someone could advertise a window of 0 bytes, then the connection would stall, but it is his connection, not other people's. any ideas? Best Regards, Maciej Soltysiak
