SACK

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

SACK

Unread post by Imaging »

Are the SACK panic related vulnerabilities an issue with ASL kernels? If not, which versions are immune? If so, when is an update expected?

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4120
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: SACK

Unread post by mikeshinn »

Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL:

FW_MSS_DROP="yes"

ASL has always been immune to this kind of attack, for many many years if this is enabled.

If youre not using ASL, then you want to check to see if you have TSO or GSO enabled:

ethtool -k eth0 | egrep "tcp|gso|generic"

You can disable this with the same tool.

Or you can disable Selective ACK with this command:

echo 0 > /proc/sys/net/ipv4/tcp_sack

A new kernel will be available tomorrow should you wish to use TSO or GSO and dont want to use ASLs MSS protection (theres no reason not to use this protection).
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: SACK

Unread post by Imaging »

Mike:

Thanks for the explanation. From what I recall the MSS setting defaults to no on a fresh ASL install so many may not have it enabled. Perhaps it should default to yes moving forward?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4120
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: SACK

Unread post by mikeshinn »

On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: SACK

Unread post by Imaging »

Thanks. The wiki could use an update as it has:

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: no

https://wiki.atomicorp.com/wiki/index.p ... W_MSS_DROP

versus

=== FW_MSS_DROP ===

Note: This option is available in ASL 4.x and up.

This will detect and drop packets that have an invalid MSS.

Default: yes

(for some odd reason can't update as my email isn't validating).
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: SACK

Unread post by Imaging »

What table in iptables is the mss rule added to? At present, after enabling, I'm not seeing a rule added (restarted the firewall, ran asl -s -f, rebooted the box etc., all the usuals JIC to make sure it was active).
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4120
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: SACK

Unread post by mikeshinn »

Its not added into a table, it changes kernel settings.
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: SACK

Unread post by Imaging »

Thank you. What would be the best way to test that all is protecting as it should?
Post Reply