Linux TCP Flaw

Home » CentOS » Linux TCP Flaw
CentOS 10 Comments

Hi

So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/

The article doesn’t talk about CentOS or Redhat, but I assume the problem is the same, and hoping the solution is the same. However that doesn’t seem to be the case.

[root@vps ~]# uname -r
2.6.32-042stab108.7
[root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100
[root@vps ~]# vi /etc/sysctl.conf
> Append
> net.ipv4.tcp_challenge_ack_limit = 999999999
> to end of file
[root@vps ~]# sysctl -p net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
error: permission denied on key ‘net.bridge.bridge-nf-call-ip6tables’
error: permission denied on key ‘net.bridge.bridge-nf-call-iptables’
error: permission denied on key ‘net.bridge.bridge-nf-call-arptables’
error: permission denied on key ‘net.ipv4.tcp_challenge_ack_limit’
[root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100

Am I getting a permission denied because of there is a different solution, or the problem doesn’t apply to our VPS or some other reason?

Regards

Andrew Dent

10 thoughts on - Linux TCP Flaw

  • That’s not a CentOS kernel, it’s an openvz kernel that is not provided by CentOS. The fixes and workarounds shown on the internet will not work with that kernel.

    I suggest you find a better VPS provider, what you have is essentially a glorified chroot, not a real VPS and there are many aspects of CentOS
    that are simply broken in that model.

    Peter

  • It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I’d guess it was) then it’s affected.

    Peter

  • If this feature was backported, then it surely may be the case although I’ve not seen any reference indicating that. If you wouldn’t mind including a link that indicates this, that would be appreciated.

    Thanks, Barry

  • Thanks for the info Peter. The VPS is running on a Plesk environment.

    —— Original Message —-

  • –mweGVunvt6gRw8Wfx8TK7f5jABSTvcS6p Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    Right, and in a Plesk environment there is only one kernel on the main machine, and all the VPS machines use it. So the hosting provider has to make all kernel mods.

    –mweGVunvt6gRw8Wfx8TK7f5jABSTvcS6p

  • Would a successful attack on the IP address of a VPS in a Plesk environment expose the VPS, the Virtual Host or both (and all other VPSs)?

    —— Original Message —-