Rob McCool said:
> ... the queue is used both for connections that are ready to be
> accepted as well as for half-negotiated connections. The latter can
> fill the queue, starving any new connections from being negotiated.
This sounds like a very interesting hypothesis. Suppose all the
pending connections were half-negotiated. The queue might be full, so
the server (actually, the OS) would reject new connections, but there
would be no completed connections to process.
This matches what we see... and, incidentally, if true, it makes for a
fairly neat denial-of-service attack against Unix-based TCP servers.
(If Mallet wants to disable rlogin and telnet on a machine he's in the
process of subverting, he just has to make his machine,
badguy.mallet.com, deliberately initiate five connections on those
ports and fail to complete the handshake).
Things that make you go hmmm...
rst