Le 12/08/2016 à 17:46, Jakub Wilk a écrit : > * Salvatore Bonaccorso <car...@debian.org>, 2016-08-12, 17:35: >> mitigation could be used as per https://lwn.net/Articles/696868/ . > > This is behind paywall at the moment. The relevant part appears to be: > >> there is a mitigation available in the form of the >> tcp_challenge_ack_limit sysctl knob. Setting that value to something >> enormous (e.g. 999999999) will make it much harder for attackers to >> exploit the flaw. >
The akamai blog describe the workaround as well [1], you could implement it with: |sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q tcp_challenge_ack_limit /etc/sysctl.conf /etc/sysctl.d/* || echo "net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.d/cve-2016-5696.conf| [1] https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html Cheers ! -- Clément (nodens)
