Quick note about blind TCP reset/injection attack released
Posted: Fri Aug 12, 2016 4:59 pm
Just wanted to sent out a quick email about an attack against the Linux TCP stack published today that is making a lot of news.
TL;DR if you are using the ASL kernel, you're already protected from this.
Details
----------
http://www.cs.ucr.edu/~zhiyunq/pub/sec1 ... ffpath.pdf
https://lwn.net/SubscriberLink/696868/a511d1b0ea61d0c0/
Unlike other Linux kernels, including the stable and distribution kernels, the ASL kernel is already protected against this. Stable and distributions kernel (as of today, even though new stable kernels were released yesterday by Greg KH) do not have fixes included. All of our kernels have been fixed since July 10th (one month ago) and all fixes backported. This includes not only the basic fix of the increased global challenge ack limit and additional randomness, but also the addition of per-socket challenge ack rate limiting.
For those that arent using the latest ASL kernel, you can do this to address the issue:
echo 999999999 > /proc/sys/net/ipv4/tcp_challenge_ack_limit
Please let us know if you have any questions or concerns, and thank you again for supporting Atomicorp.
TL;DR if you are using the ASL kernel, you're already protected from this.
Details
----------
http://www.cs.ucr.edu/~zhiyunq/pub/sec1 ... ffpath.pdf
https://lwn.net/SubscriberLink/696868/a511d1b0ea61d0c0/
Unlike other Linux kernels, including the stable and distribution kernels, the ASL kernel is already protected against this. Stable and distributions kernel (as of today, even though new stable kernels were released yesterday by Greg KH) do not have fixes included. All of our kernels have been fixed since July 10th (one month ago) and all fixes backported. This includes not only the basic fix of the increased global challenge ack limit and additional randomness, but also the addition of per-socket challenge ack rate limiting.
For those that arent using the latest ASL kernel, you can do this to address the issue:
echo 999999999 > /proc/sys/net/ipv4/tcp_challenge_ack_limit
Please let us know if you have any questions or concerns, and thank you again for supporting Atomicorp.