Quoting Simon Hobson (linux@???):

> As Arnt Karlsen mentioned in the Bootloaders thread, there a new twist
> which is the result of a security fix
>
> http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/
>
> In a bid to thwart the risk from injected packets carrying the right
> quintuplet of source and dest IPs, source & dest ports, and sequence
> numbers, it now seems that there are "occasional" challenge packets
> sent. Simplifying a lot, basically one end will send packets to the
> other asking "did you really send that ?" - so if someone is spoofing
> fake traffic then it'll come to light.
>
> As these packets are globally rate limited - a third party can send a
> flood of dodgy packets to cause this limit to be exceeded, and thus
> disable the protection it provides. As I read it, the attack doesn't
> really bring anything new other than the ability to disable the
> security offered by RFC 5961 - and thus lower the threshold to that of
> the original CVE from 2004.

I suspect the best interim solution is to set
/proc/sys/net/ipv4/tcp_challenge_ack_limit=999999999 via sysctl, until
something better-thought-out than RFC 5961 comes out.

-- 
Cheers,                  QA engineer walks into a bar.  Orders a beer.
Rick Moen                Orders 0 beers.  Orders 999999999 beers.  Orders
rick@???      a lizard.  Orders -1 beers.  Orders a sfdeljknesv.
McQ! (4x80)              -- @sempf, https://www.sempf.net/post/On-Testing1.aspx