Yet....just another reason why I love Linux?!....the patching system. Its on POINT!.... when it comes to catching and preventing these kinds of things?.....this community handles its BUSINESS!!!!!...LOL!On Aug 10, 2016 12:17 AM, stan <stanl-fedorauser@xxxxxxxxxxx> wrote: > > Hi, > > There is a severe security hole in TCP on the linux system. Here are > some extracts from an abstract of the paper about the weakness. > > "Instead, they identified a subtle flaw (in the form of 'side > channels') in the Linux software that enables attackers to infer the > TCP sequence numbers associated with a particular connection with no > more information than the IP address of the communicating parties. " > > This means that given any two arbitrary machines on the internet, a > remote blind attacker without being able to eavesdrop on the > communication, can track users' online activity, terminate connections > with others and inject false material into their communications. > Encrypted connections (e.g., HTTPS) are immune to data injection, but > they are still subject to being forcefully terminated by the attacker. > The weakness would allow attackers to degrade the privacy of anonymity > networks, such as Tor, by forcing the connections to route through > certain relays. The attack is fast and reliable, often taking less than > a minute and showing a success rate of about 90 percent. The > researchers created a short video showing how the attacks works. > > https://www.youtube.com/watch?v=S4Ns5wla9DY > > "The unique aspect of the attack we demonstrated is the very low > requirement to be able to carry it out. Essentially, it can be done > easily by anyone in the world where an attack machine is in a network > that allows IP spoofing. The only piece of information that is needed > is the pair of IP addresses (for victim client and server), which is > fairly easy to obtain," Qian said. > > Qian said the researchers have alerted Linux about the vulnerability, > which has resulted in patches applied to the latest Linux version. > Until then, Qian recommends the following temporary patch that can be > applied to both client and server hosts. It simply raises the > `challenge ACK limit' to an extremely large value to make it > practically impossible to exploit the side channel. This can be done on > Ubuntu, for instance, as follows: > > 1. Open /etc/sysctl.conf, append a command > "/net.ipv4/tcp_challenge_ack_limit = 999999999". > > 2. Use "sysctl -p" to update the configuration. > > The full paper is available here as a pdf. > http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf > > How soon will we see a kernel in Fedora that has this fixed? Or is it > already fixed? > > Thanks. > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
