[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)


Le 12/08/2016 à 17:46, Jakub Wilk a écrit :
> * Salvatore Bonaccorso <carnil@debian.org>, 2016-08-12, 17:35:
>> mitigation could be used as per https://lwn.net/Articles/696868/ .
>
> This is behind paywall at the moment. The relevant part appears to be:
>
>> there is a mitigation available in the form of the
>> tcp_challenge_ack_limit sysctl knob. Setting that value to something
>> enormous (e.g. 999999999) will make it much harder for attackers to
>> exploit the flaw. 
>

The akamai blog describe the workaround as well [1], you could implement
it with:

|sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q
tcp_challenge_ack_limit /etc/sysctl.conf /etc/sysctl.d/* || echo
"net.ipv4.tcp_challenge_ack_limit=1073741823" >>
/etc/sysctl.d/cve-2016-5696.conf|


[1]
https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html

Cheers !

-- 
Clément (nodens)
Reply to: