Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)

To: debian-security@lists.debian.org
Subject: Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
From: Jakub Wilk <jwilk@debian.org>
Date: Fri, 12 Aug 2016 17:46:56 +0200
Message-id: <[🔎] 20160812154656.bxqadsb566244tjk@jwilk.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20160812153534.lzbw7phrat6pr2xe@eldamar.local>
References: <[🔎] ca61a0f6965507312e653f9bf3d4e208@webmail.vdberg.org> <[🔎] 20160812153534.lzbw7phrat6pr2xe@eldamar.local>

* Salvatore Bonaccorso <carnil@debian.org>, 2016-08-12, 17:35:

mitigation could be used as per https://lwn.net/Articles/696868/ .


This is behind paywall at the moment. The relevant part appears to be:

there is a mitigation available in the form of thetcp_challenge_ack_limit sysctl knob. Setting that value to somethingenormous (e.g. 999999999) will make it much harder for attackers toexploit the flaw.


--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
  - From: Clément Hermann <nodens@nodens.org>
- Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
  - From: Rick Moen <rick@linuxmafia.com>
- Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
  - From: Sam Morris <sam@robots.org.uk>

References:
- DSA for CVE-2016-5696 (off-path blind TCP session attack)
  - From: Richard van den Berg <richard@vdberg.org>
- Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
Next by Date: Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
Previous by thread: Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
Next by thread: Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
Index(es):
- Date
- Thread