Quoting Jakub Wilk (jw...@debian.org): > * Salvatore Bonaccorso <car...@debian.org>, 2016-08-12, 17:35: > >mitigation could be used as per https://lwn.net/Articles/696868/ . > > This is behind paywall at the moment. The relevant part appears to be: > > >there is a mitigation available in the form of the > >tcp_challenge_ack_limit sysctl knob. Setting that value to > >something enormous (e.g. 999999999) will make it much harder for > >attackers to exploit the flaw.
The passage immediately before that should also be of interest: Cao did alert kernel developers to the problem, which was fixed (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758) in the mainline in July (and appears in the 4.7 kernel). The fix raises the limit to 1000 challenge ACKs per second, but also adds some randomization to the value so that counting will be less effective. In addition, the patch notes per-socket rate-limiting is available, which could lead to the removal of the global challenge ACK count down the road; some work (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=083ae308280d13d187512b9babe3454342a7987e) toward that end has been merged as well. The fix has not made it to the stable kernels yet [...]. -- Cheers, Grossman's Law: "In time of crisis, people do not rise to Rick Moen the occasion. They fall to the level of their training." r...@linuxmafia.com http://linuxmafia.com/~rick/lexicon.html#grossman McQ! (4x80)
