I did some web surfing when this thread was posted, to try to track down *which kernel versions* are affected by this TCP security flaw. I haven't seen this information posted yet.
http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf says: "The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696 says: "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack." So the flaw appears to be in Linux kernels from 3.6 to 4.6 inclusive, which includes Jessie (3.16) but not Wheezy (3.2) or earlier. The jessie-backports kernel right now is 4.6, but only for a brief time. The last plan I saw was for Stretch to ship with 4.10, which should include the fix for this flaw. Now on to the thread: On Fri, Aug 12, 2016 at 10:42:36AM -0400, rhkra...@gmail.com wrote: > In the README for sysctl on my wheezy system, it says "configure kernel > parameters at runtime". Not on mine. greg@remote:~$ grep run /etc/sysctl.d/README.sysctl greg@remote:~$ > I may be having a senior moment, but, atm, I'm not completely sure what > runtime means "At boot time", I would think. But I don't know where your file actually came from, so my guesses about the author's intent might be somewhat off. README.sysctl is short enough to post in its entirety here, so this is what mine says on a wheezy system: ====================================================================== Kernel system variables configuration files Files found under the /etc/sysctl.d directory that end with .conf are parsed within sysctl(8) at boot time. If you want to set kernel variables you can either edit /etc/sysctl.conf or make a new file. The filename isn't important, but don't make it a package name as it may clash with something the package builder needs later. It must end with .conf though. My personal preference would be for local system settings to go into /etc/sysctl.d/local.conf but as long as you follow the rules for the names of the file, anything will work. See sysctl.conf(8) man page for details of the format. ======================================================================