Quoting Simon Hobson (li...@thehobsons.co.uk): > As Arnt Karlsen mentioned in the Bootloaders thread, there a new twist > which is the result of a security fix > > http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/ > > In a bid to thwart the risk from injected packets carrying the right > quintuplet of source and dest IPs, source & dest ports, and sequence > numbers, it now seems that there are "occasional" challenge packets > sent. Simplifying a lot, basically one end will send packets to the > other asking "did you really send that ?" - so if someone is spoofing > fake traffic then it'll come to light. > > As these packets are globally rate limited - a third party can send a > flood of dodgy packets to cause this limit to be exceeded, and thus > disable the protection it provides. As I read it, the attack doesn't > really bring anything new other than the ability to disable the > security offered by RFC 5961 - and thus lower the threshold to that of > the original CVE from 2004.
I suspect the best interim solution is to set /proc/sys/net/ipv4/tcp_challenge_ack_limit=999999999 via sysctl, until something better-thought-out than RFC 5961 comes out. -- Cheers, QA engineer walks into a bar. Orders a beer. Rick Moen Orders 0 beers. Orders 999999999 beers. Orders r...@linuxmafia.com a lizard. Orders -1 beers. Orders a sfdeljknesv. McQ! (4x80) -- @sempf, https://www.sempf.net/post/On-Testing1.aspx _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
