1) Add the ECHO service (UDP port 7) to the list of ports that are protected against reflection attacks.
2) Update the code of the stateless reset generation to make it obvious that the stateless reset will always be at least one byte shorter that the incoming packet.
The other precautions in the code are unchanged, in particular the rate limiting of packet resets, by default enforcing a delay of at least 100ms between consecutive stateless reset packets.
Looking at a report from a nasty loop between Google QUIC servers and an UDP ECHO service incited two changes in the code:
1) Add the ECHO service (UDP port 7) to the list of ports that are protected against reflection attacks. 2) Update the code of the stateless reset generation to make it obvious that the stateless reset will always be at least one byte shorter that the incoming packet.
The other precautions in the code are unchanged, in particular the rate limiting of packet resets, by default enforcing a delay of at least 100ms between consecutive stateless reset packets.