On Friday, 12 August 2016 5:21:43 PM AEST Erik Christiansen wrote: > Is the article perhaps a furphy?
The attack is quite real, LWN has a nice little summary here: https://lwn.net/Articles/696868/ It's subscriber content only until Thursday (from memory) but LWN is an awesome website and they are really need (and deserve) the communities support. One thing it says there is: # Cao did alert kernel developers to the problem, which was fixed in # the mainline in July (and appears in the 4.7 kernel). The fix raises the # limit to 1000 challenge ACKs per second, but also adds some # randomization to the value so that counting will be less effective. In # addition, the patch notes per-socket rate-limiting is available, which # could lead to the removal of the global challenge ACK count down the # road; some work toward that end has been merged as well. # # The fix has not made it to the stable kernels yet, but there is a # mitigation available in the form of the tcp_challenge_ack_limit # sysctl knob. Setting that value to something enormous (e.g. 999999999) # will make it much harder for attackers to exploit the flaw. All the best, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC _______________________________________________ luv-main mailing list luv-main@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
