<div dir="ltr">Picked this up on the Fedora list. Just passing along as it pertains to all of Linux. I have not implemented this patch as of yet on my Xubuntu system until I fully read the paper, some 17 pages. Being a security issue thought it best to at least put the info out. Discussion is more than welcome as there seems to be some concern with increasing the ACK time. This is not my area a specialty. Hope it helps...<div> <div>\begin quote</div><div>Hi, There is a severe security hole in TCP on the linux system. Here are some extracts from an abstract of the paper about the weakness. "Instead, they identified a subtle flaw (in the form of 'side channels') in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties. " This means that given any two arbitrary machines on the internet, a remote blind attacker without being able to eavesdrop on the communication, can track users' online activity, terminate connections with others and inject false material into their communications. Encrypted connections (e.g., HTTPS) are immune to data injection, but they are still subject to being forcefully terminated by the attacker. The weakness would allow attackers to degrade the privacy of anonymity networks, such as Tor, by forcing the connections to route through certain relays. The attack is fast and reliable, often taking less than a minute and showing a success rate of about 90 percent. The researchers created a short video showing how the attacks works. <a href="https://www.youtube.com/watch?v=S4Ns5wla9DY" rel="noreferrer" target="_blank" style="font-size:12.8px">https://www.youtube.com/watch?v=S4Ns5wla9DY</a> "The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain," Qian said. Qian said the researchers have alerted Linux about the vulnerability, which has resulted in patches applied to the latest Linux version. Until then, Qian recommends the following temporary patch that can be applied to both client and server hosts. It simply raises the `challenge ACK limit' to an extremely large value to make it practically impossible to exploit the side channel. This can be done on Ubuntu, for instance, as follows: 1. Open /etc/sysctl.conf, append a command "/net.ipv4/tcp_challenge_ack_limit = 999999999". 2. Use "sysctl -p" to update the configuration. The full paper is available here as a pdf. <a href="http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf" rel="noreferrer" target="_blank" style="font-size:12.8px">http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf</a> How soon will we see a kernel in Fedora that has this fixed? Or is it already fixed? Thanks. </div></div><div>\end quote</div><div> </div><div>Again, hope this helps. Further insight is welcome.</div><div> </div><div>-- Fred</div></div>