Re: (OT kinda) Newly-discovered TCP flaw
On Thursday 11 August 2016 16:35:06 deloptes wrote:
> Joe wrote:
> > On Thu, 11 Aug 2016 20:31:37 +0100
> >
> > Lisi Reisz <lisi.reisz@gmail.com> wrote:
> >> I copied and pasted the commands exactly, and ran them as root, and
> >> got an echo of net.ipv4.tcp_challenge_ack_limit = 999999999 in
> >> response to the first and a blank return in response to the second.
> >> I don't know the significance.
> >
> > Go and read /proc/net/ipv4... and it should show the changed value.
> >
> > I believe the echo means it worked. I also believe it needs to be
> > added to /etc/sysctl.conf (without the 'sysctl -p') to be redone on
> > boot. It seems to affect every current Debian up to sid.
>
> I don't see it in the /proc tree (kernel 4.6.4 on jessie)
>
> # ls -1 /proc/net/ip*
> /proc/net/ip6_flowlabel
> /proc/net/ip_tables_matches
> /proc/net/ip_tables_names
> /proc/net/ip_tables_targets
> /proc/net/ipv6_route
>
> and on the firewall (2.6.26.2 wheezy)
>
> sysctl -w net.ipv4.tcp_challenge_ack_limit=999999999
> sysctl: cannot stat /proc/sys/net/ipv4/tcp_challenge_ack_limit: No
> such file or directory
>
> I don't understand if it is bad.
>
> on the file server (kernel 3.2.0 jessie)
>
> cat /proc/sys/net/ipv4/tcp_challenge_ack_limit
> 999999999
>
> interesting ...
>
> Do you have recommendations?
It looks like you have it right.
> regards
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: