At 12:01 8/12/2016 -0400, Zack Weinberg wrote:
Also, if you read the paper, raising the global rate limit (as suggested by the reg. article) doesn't help; it only slows the attacker down a little.
The paper indicates that a global counter limit other than 100 can be easily discovered. However the recommended mitigation effectively removes the global counter by setting it to 10^9. The described attack requires the counter be exhausted inside the temporal bounds of one second and the Internet as it exists today cannot support 10^9 probes on that deadline.
IMO the recommended mitigation is effective and should be applied by those believing RFC-5961-as-presently- implemented changes worse than the weaknesses addressed by the RFC. I applied the mitigation.