On Tue, 26 Mar 2019 at 13:59, Paul Wouters <[email protected]> wrote: > > Of course, we wanted to suppress logging for duplicates to prevent DOS > attacks. I guess that might have been the wrong choice but there was a reason
Yea. Some sort of breadcrumb is needed - the complete absence of retransmit logging leaves the impression that the remote end sent only one packet. Perhaps a heuristic where a ludicrous number of duplicates for a given state triggers DDOS mode? > Sent from mobile device > > Begin forwarded message: > > From: Andrew Cagney <[email protected]> > Date: March 26, 2019 at 18:51:22 GMT+1 > To: [email protected] > Subject: [Swan-commit] Changes to ref refs/heads/master > Reply-To: [email protected] > > New commits: > commit 4b58c22bb03f83617308aece39af0550968b994b > Merge: 9db87e4 f62bd38 > Author: Andrew Cagney <[email protected]> > Date: Tue Mar 26 13:50:17 2019 -0400 > > ikev2: clearly log when re-transmitting in response to a duplicate request > > Merge commit 'f62bd383251195e75c2ff33e351d59e17a3afe88' > > commit f62bd383251195e75c2ff33e351d59e17a3afe88 > Author: Andrew Cagney <[email protected]> > Date: Tue Mar 26 13:47:47 2019 -0400 > > ikev2: log (not debug-log) when a duplicate request triggers a retransmit > response > > Was only logging when a duplicate was received mid-crypto. > > commit ddbf8d8a99b9dc52104a14d8ff8e8bc70878a33d > Author: Andrew Cagney <[email protected]> > Date: Tue Mar 26 13:47:17 2019 -0400 > > testing: add more duplicate packet tests > > _______________________________________________ > Swan-commit mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-commit > > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
