Recently a new security flaw has been found in the main TCP/IP networking subsystemens of the Linux operating system. The 3.6 Linux kernel introduced a global challenge ACK counter limit in order to improve tcp’s robustness to blind in-window attacks as specified in RFC 5961. However, an attacker can use this global challenge ACK counter to infer the sequence and ack number of an off-path tcp connection.

When it comes to security, and especially security of servers and Linux servers one cannot always rely on patching only. People maintaining servers need to have a more thorough understanding of how the system works in the deeper layers.

Someone once stated, more and more people know less and less of computers. This is unfortunately true. This however only applies for a small portion of people maintaining vital Linux servers in enterprise (I hope). This also means that operators who maintain those systems are aware that they cannot only rely on patching and understand that sometimes the quickest way to secure a system again is changing configuration.

In case of this specific security issue you can secure your system again by applying changes to the sysctl config file. For more information on how to fix this security issue you can find the details in this personal blogpost.