Reading this: https://ucrtoday.ucr.edu/39030 which is doing the rounds on some lists, I checked: https://www.cert.gov.au/advisories but that seems to be unmaintained. There is however, no mention of a new TCP vulnerability at: https://www.us-cert.gov/ncas/current-activity https://www.us-cert.gov/ncas/alerts https://www.auscert.org.au/render.html?cid=1 Is the article perhaps a furphy? Erik
Quoting luv-main@luv.asn.au (luv-main@luv.asn.au):
Reading this: https://ucrtoday.ucr.edu/39030 which is doing the rounds on some lists,
http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_commu... https://lwn.net/Articles/696868/ (subscriber-only until next week) I suspect the best interim solution (as the UCR Today article suggests) is to set /proc/sys/net/ipv4/tcp_challenge_ack_limit=999999999 via sysctl, until something better-thought-out than RFC 5961 comes out. An actual fix[1] is in the 4.7 but not yet in the stable kernel series. [1] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75... -- Cheers, Grossman's Law: "In time of crisis, people do not rise to Rick Moen the occasion. They fall to the level of their training." rick@linuxmafia.com http://linuxmafia.com/~rick/lexicon.html#grossman McQ! (4x80)
On Friday, 12 August 2016 5:21:43 PM AEST Erik Christiansen wrote:
Is the article perhaps a furphy?
The attack is quite real, LWN has a nice little summary here: https://lwn.net/Articles/696868/ It's subscriber content only until Thursday (from memory) but LWN is an awesome website and they are really need (and deserve) the communities support. One thing it says there is: # Cao did alert kernel developers to the problem, which was fixed in # the mainline in July (and appears in the 4.7 kernel). The fix raises the # limit to 1000 challenge ACKs per second, but also adds some # randomization to the value so that counting will be less effective. In # addition, the patch notes per-socket rate-limiting is available, which # could lead to the removal of the global challenge ACK count down the # road; some work toward that end has been merged as well. # # The fix has not made it to the stable kernels yet, but there is a # mitigation available in the form of the tcp_challenge_ack_limit # sysctl knob. Setting that value to something enormous (e.g. 999999999) # will make it much harder for attackers to exploit the flaw. All the best, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
On Saturday, 13 August 2016 11:50:27 AM AEST Chris Samuel via luv-main wrote: [quoting LWN]
# The fix has not made it to the stable kernels yet,
There is also this comment on the article: https://lwn.net/Articles/697130/ # The patches addressing CVE-2016-5696 are available in the public # stable queue tree, and are very likely to be present in the next # round of stable releases. So hopefully soon.. cheers, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
hi there is an accessible article on it here http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_commu...
participants (4)
-
Chris Samuel -
Erik Christiansen -
Rick Moen -
Steve Roylance