[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (OT kinda) Newly-discovered TCP flaw

On Friday 12 August 2016 08:22:26 Curt wrote:

> On 2016-08-12, Gene Heskett <gheskett@shentel.net> wrote:
> >> Simply using the command 'net.ipv4.tcp_challenge_ack_limit =
> >> 999999999' as root sets the value, but does not survive a reboot.
> >> Running 'sysctl -p' with no argument after having issued the above
> >> command does nothing but reread '/etc/sysctl.conf' (and gives no
> >> output). 'sysctl -p xxx.conf' echos the new value in xxx.conf.
> >
> > And if this has been installed into the /etc/sysctl.conf file, what
> > will it be set to after a reboot?
>
> To the new value you've entered in that file. 'sysctl -p
> /etc/sysctl.conf/' or 'sysctl -p /etc/sysctl.d/xxx.conf' sets the
> value while the kernel is running.  That value will be "parsed within
> sysctl(8) at boot time." To create a new value you either edit
> /etc/sysctl.conf or make a new file under the /etc/sysctl.d directory
> ending in '.conf'.
>
> At least, that's the way I understand it.
>
> > I interpret that, since the word "at run time" in that README to
> > mean a reboot.  And I do not see an exception in that README that
> > should muddy that meaning.
>
> I do not have the phrase "at run time" anywhere in my README.

It is there, as "at runtime" in my wheezy copy of that man page.
The README OTOH says "at boot time" and I have to assume that the equ of 
sysctl -p it invoked at runtime, eg boot up.

In /etc/init.d the applicable file might be procps, it will call sysctl.
A root "service procps restart" is uneventful, and the value of:
root@coyote:/etc/init.d# service procps restart
[ ok ] Setting kernel variables ...done.
root@coyote:/etc/init.d# cat /proc/sys/net/ipv4/tcp_challenge_ack_limit 
999999999
is preserved.

Based on that, I'll not worry about doing a reboot in the next 10 
minutes.  I have a new 1Tb drive, and a ubuntu 16.04 LTS Mate dvd that I 
need to figure out how to make networking work in the live dvd mode. 
Then I'll do a test install following their directions for how to use a 
pre-partitioned in GPT format disk that has already been formatted.

That of course qualifies as a reboot, and is subject to this attack as 
soon as networking is enabled. I don't know if I can apply this fix even 
before I bring up the network, but should.  Interesting time killing 
experiment, but thats all it is.  I have that 16.04 lts in xfce flavor 
on my flea powered 14 year old laptop.  Even with xfce, the bloated 
state is obvious.

If that works, I will STFU about their broken installer, if not, that 
campaign to get it fixed to work with a pre-partitioned disk will 
continue.  But its a test install only as I will reformat it, and load 
it from the latest .iso that can run linuxcnc.

> Tata,
>
> Curt

Be well.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: