Announcement

Collapse
No announcement yet.

TCP weakness identified

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    TCP weakness identified

    The article specifically mentions Linux as a vulnerable OS, plus Android.
    Reference:

    https://ucrtoday.ucr.edu/39030

    ...
    "Such a weakness could be used to launch targeted attacks that track users’ online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor."
    ...

    A possible local fix is given near the end of the article. Patches are referenced to the latest Linux code, but not to existing installations "in the wild".
    Last edited by TWPonKubuntu; Aug 10, 2016, 10:32 AM.
    Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    Update: more information

    Update from alternate source:

    https://www.onthewire.io/widespread-...g-termination/
    Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

    Comment


      #3
      Not really news. Here is a paper from last year identifying the "side channels":
      https://www.cs.unm.edu/~crandall/infocom2015rtt.pdf

      A "side channel" is created when the third part of the three part handshake between a server and a client is not executed. When an off-path machine sends an unsolicited SYN-ACK packet it creates an entry (side channel) in the handshake buffer. There are two kinds of SYN-ACK entries in the kernel space handshake buffer, young and mature, based on their age. The trick is to flood the client with SYN-ACKs till the client attempts to clear the mature "channels" out of the buffer. This attack requires an open port. Kubuntu's TCP makes all ports closed during installation, even if the ufw is not activated. You can check your ports here. If you are all green you are good to go. Red or blue is bad.

      The temporary fix to this attack is supposed to be:
      Code:
          Open /etc/sysctl.conf, append a command “/net.ipv4/tcp_challenge_ack_limit = 999999999”.
          Use “sysctl -p” to update the configuration.
      doesn't work because that TCP parameter is not compiled into the Linux kernel space. You'll get a "file or directory not found" error. Creating that as a file won't work if the kernel isn't reading it.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Originally posted by GreyGeek View Post
        Not really news.
        ...
        Dang, must be a slow news day for the authors
        Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

        Comment


          #5
          Originally posted by GreyGeek View Post
          Not really news. Here is a paper from last year identifying the "side channels":
          The temporary fix to this attack is supposed to be:
          Code:
              Open /etc/sysctl.conf, append a command “/net.ipv4/tcp_challenge_ack_limit = 999999999”.
              Use “sysctl -p” to update the configuration.
          doesn't work because that TCP parameter is not compiled into the Linux kernel space. You'll get a "file or directory not found" error. Creating that as a file won't work if the kernel isn't reading it.
          It should work fine.

          Are you sure you're appending in the correct syntax:
          net.ipv4.tcp_challenge_ack_limit = 999999999
          (not /net.ipv4/tcp_challenge_ack_limit = 999999999)

          The default ack_limit is 100 for *buntus
          EDIT: you can check the current parameter value with:
          Code:
          sysctl net.ipv4.tcp_challenge_ack_limit
          Last edited by kubicle; Aug 10, 2016, 05:20 PM.

          Comment


            #6
            Cool! Thanks!

            Comment


              #7
              Originally posted by kubicle View Post
              It should work fine.

              Are you sure you're appending in the correct syntax:
              net.ipv4.tcp_challenge_ack_limit = 999999999
              (not /net.ipv4/tcp_challenge_ack_limit = 999999999)

              The default ack_limit is 100 for *buntus
              EDIT: you can check the current parameter value with:
              Code:
              sysctl net.ipv4.tcp_challenge_ack_limit
              If the "/" is included one will be warned of the error when re-initializing sysctl.
              My installation fails the "fix" as an unrecognized parameter. (I'm running Neon)
              Last edited by GreyGeek; Aug 11, 2016, 05:06 AM.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Originally posted by TWPonKubuntu View Post
                Dang, must be a slow news day for the authors
                Yup. Five years ago I was working end user support for a rather large web hosting company and we were well aware of SYN attacks back then. This may not be exactly the same vulnerability but it used to be that a SYN flood would bring a webserver to its knees. My anecdotal experience is old, though
                we see things not as they are, but as we are.
                -- anais nin

                Comment


                  #9
                  This kind of attack is more than just a brute force DoS attack. It's an execution.
                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.

                  Comment


                    #10
                    Originally posted by GreyGeek View Post
                    If the "/" is included one will be warned of the error when re-initializing sysctl.
                    My installation fails the "fix" as an unrecognized parameter. (I'm running Neon)
                    That's a bit odd. I'm running Neon as well, and I just tested it and it works well here.
                    What's your cli output if you run:
                    Code:
                    sysctl net.ipv4.tcp_challenge_ack_limit

                    Comment


                      #11
                      Kubicle, it worked on this end. I received the below.

                      Code:
                      moonrise@Panther:~$ sysctl net.ipv4.tcp_challenge_ack_limit
                      net.ipv4.tcp_challenge_ack_limit = 100
                      moonrise@Panther:~$

                      Comment


                        #12
                        Originally posted by MoonRise View Post
                        Kubicle, it worked on this end. I received the below.

                        Code:
                        moonrise@Panther:~$ sysctl net.ipv4.tcp_challenge_ack_limit
                        net.ipv4.tcp_challenge_ack_limit = 100
                        moonrise@Panther:~$
                        That sort of shows you haven't actually changed the kernel default (100). After editing sysctl.conf you need to run "sudo sysctl -p" to reload the configuration (a reboot will also work, of course)

                        Comment


                          #13
                          Originally posted by kubicle View Post
                          It should work fine.

                          Are you sure you're appending in the correct syntax:
                          net.ipv4.tcp_challenge_ack_limit = 999999999
                          (not /net.ipv4/tcp_challenge_ack_limit = 999999999)

                          The default ack_limit is 100 for *buntus
                          EDIT: you can check the current parameter value with:
                          Code:
                          sysctl net.ipv4.tcp_challenge_ack_limit
                          Ah, it was the second "/" that got to me. Changing it to a "." allowed the command to work.
                          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                          – John F. Kennedy, February 26, 1962.

                          Comment


                            #14
                            Originally posted by kubicle View Post
                            That sort of shows you haven't actually changed the kernel default (100). After editing sysctl.conf you need to run "sudo sysctl -p" to reload the configuration (a reboot will also work, of course)
                            Is there any reason to change the default? I think at a 100 seems safe?

                            Comment


                              #15
                              Originally posted by MoonRise View Post
                              Is there any reason to change the default? I think at a 100 seems safe?
                              I think the proof-of-concept attack was demonstrated against the limit of 100 (per second). How effective the attack is in real world situations is another thing, but 100 is low enough to make the attack at least theoretically possible.

                              The kernel patch to fix the issue seems to increase the limit to 1000, but more importantly it adds randomization to the number so the limit is not predictable (which should break the timing which is apparently important for the attack to work). As long as the limit is fixed (with a non-patched kernel), I'd recommend using a limit much larger than 1000 (just to err on the safe side).

                              Comment

                              Working...
                              X