Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)
Quoting Jakub Wilk (jwilk@debian.org):
> * Salvatore Bonaccorso <carnil@debian.org>, 2016-08-12, 17:35:
> >mitigation could be used as per https://lwn.net/Articles/696868/ .
>
> This is behind paywall at the moment. The relevant part appears to be:
>
> >there is a mitigation available in the form of the
> >tcp_challenge_ack_limit sysctl knob. Setting that value to
> >something enormous (e.g. 999999999) will make it much harder for
> >attackers to exploit the flaw.
The passage immediately before that should also be of interest:
Cao did alert kernel developers to the problem, which was fixed
(http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758)
in the mainline in July (and appears in the 4.7 kernel). The fix raises
the limit to 1000 challenge ACKs per second, but also adds some
randomization to the value so that counting will be less effective. In
addition, the patch notes per-socket rate-limiting is available, which
could lead to the removal of the global challenge ACK count down the
road; some work
(http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=083ae308280d13d187512b9babe3454342a7987e)
toward that end has been merged as well.
The fix has not made it to the stable kernels yet [...].
--
Cheers, Grossman's Law: "In time of crisis, people do not rise to
Rick Moen the occasion. They fall to the level of their training."
rick@linuxmafia.com http://linuxmafia.com/~rick/lexicon.html#grossman
McQ! (4x80)
Reply to: