Linux TCP Flaw Fix

For those who want to know all the details here is a document which explains how this RFC 5961 flaw can be exploited:

The fix itself:

net.ipv4.tcp_challenge_ack_limit = 999999999

which is appended to

/etc/sysctl.conf file using a text editor

and applied with

sysctl -p

Most importantly a command to show if your Linux OS is patched already – I had to trawl quite a bit to find this

sysctl -a | grep ack_limit
net.ipv4.tcp_challenge_ack_limit = 100

As you can see from above it was set to 100 on my desktop running Ubuntu 14.04 with all the updates on 18/08/16. The default Ack Limit of 100 is what’s used the create the exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *