Page 1 of 1

Quick note about blind TCP reset/injection attack released

Posted: Fri Aug 12, 2016 4:59 pm
by mikeshinn
Just wanted to sent out a quick email about an attack against the Linux TCP stack published today that is making a lot of news.

TL;DR if you are using the ASL kernel, you're already protected from this.

Details
----------

http://www.cs.ucr.edu/~zhiyunq/pub/sec1 ... ffpath.pdf
https://lwn.net/SubscriberLink/696868/a511d1b0ea61d0c0/

Unlike other Linux kernels, including the stable and distribution kernels, the ASL kernel is already protected against this. Stable and distributions kernel (as of today, even though new stable kernels were released yesterday by Greg KH) do not have fixes included. All of our kernels have been fixed since July 10th (one month ago) and all fixes backported. This includes not only the basic fix of the increased global challenge ack limit and additional randomness, but also the addition of per-socket challenge ack rate limiting.

For those that arent using the latest ASL kernel, you can do this to address the issue:

echo 999999999 > /proc/sys/net/ipv4/tcp_challenge_ack_limit

Please let us know if you have any questions or concerns, and thank you again for supporting Atomicorp.

Re: Quick note about blind TCP reset/injection attack releas

Posted: Wed Aug 17, 2016 3:07 pm
by Imaging
What is the ASL kernel version that is in reference with the fixes? Don't recall any kernel updates coming through in the last month on some of our ASL boxes.

Thanks.

Re: Quick note about blind TCP reset/injection attack releas

Posted: Tue Aug 23, 2016 1:46 pm
by Imaging
Any update about the above post? Thanks.

Re: Quick note about blind TCP reset/injection attack releas

Posted: Wed Aug 24, 2016 4:22 pm
by mikeshinn
It was a kpatch to the kernel, applied automatically. No action required by you as long as you were using the ASL kernel.

Re: Quick note about blind TCP reset/injection attack releas

Posted: Wed Aug 24, 2016 5:11 pm
by Imaging
Thanks. How does one check to make sure kpatches have been successfully applied to the running ASL kernel?