CVE-2016-5696 Linux TCP flaw,惡意者不需要中間人攻擊位置,即可利用假 IP 封包,在任意二台主機之間攔截並插入惡意封包。
此漏洞,雖然早在七月份 Linus 已發佈修補程式,但仍有許多人不知此一漏洞,尚未安裝修補過的核心(在 Linux 4.8-rc1/4.7 才修補)。
我們來看一下 Linus 是如何修補的:
tcp: make challenge acks less predictable
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.v2: randomize the count of challenge acks per second, not the period.
原來,Linux 核心 challenge acks 預設只有 100,Linus 把它提高到 1000 就沒事了。
根據這點,我們可以在未安裝修補核心之前,先用以下方法避免 TCP flaw 攻擊:
su - echo "net.ipv4.tcp_challenge_ack_limit = 9999" >> /etc/sysctl.conf && sysctl -p
檢查法:
sysctl -a | grep ack_limit
若出現 net.ipv4.tcp_challenge_ack_limit = 9999 表示 OK。
順便一提:由於 OSX、FreeBSD、Windows 等系統並沒有完整實作 RFC 5961,因此,並不受此漏洞的影響。多做多錯,不做不錯。。。很諷刺,對不對?! 😉