[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (OT kinda) Newly-discovered TCP flaw

Joe wrote:

> On Thu, 11 Aug 2016 20:31:37 +0100
> Lisi Reisz <lisi.reisz@gmail.com> wrote:
> 
> 
>> 
>> I copied and pasted the commands exactly, and ran them as root, and
>> got an echo of net.ipv4.tcp_challenge_ack_limit = 999999999 in
>> response to the first and a blank return in response to the second.
>> I don't know the significance.
>> 
> 
> Go and read /proc/net/ipv4... and it should show the changed value.
> 
> I believe the echo means it worked. I also believe it needs to be added
> to /etc/sysctl.conf (without the 'sysctl -p') to be redone on boot. It
> seems to affect every current Debian up to sid.

I don't see it in the /proc tree (kernel 4.6.4 on jessie)
 
# ls -1 /proc/net/ip*
/proc/net/ip6_flowlabel
/proc/net/ip_tables_matches
/proc/net/ip_tables_names
/proc/net/ip_tables_targets
/proc/net/ipv6_route

and on the firewall (2.6.26.2 wheezy)

 sysctl -w net.ipv4.tcp_challenge_ack_limit=999999999
sysctl: cannot stat /proc/sys/net/ipv4/tcp_challenge_ack_limit: No such file
or directory

I don't understand if it is bad.

on the file server (kernel 3.2.0 jessie)

cat /proc/sys/net/ipv4/tcp_challenge_ack_limit
999999999

interesting ...

Do you have recommendations?

regards
Reply to: