This guide on how to protect against Off-path TCP vulnerability CVE-2016-5696 in a CentOS 6.8 machine.
Run the following command to check the kernel version that your box is running:
Run the following to verify your Centos version details:
Below is a screenshot for the outputs for the above commands from my CentOS 6.8 box.
Workaround against the attack:
Open your sysctl.conf file:
Below is a screenshot of my default sysctl.conf file which does not contain “net.ipv4.tcp_challenge_ack_limit”.
Now add the following line at the end of the config file:
net.ipv4.tcp_challenge_ack_limit = 999999999
Below is a screenshot after editing the config file.
Save and exit the file. (Press ESC and then type :wq and hit Enter in your keyboard).
Use the command below to verify if the value of net.ipv4.tcp_challenge_ack_limit is 999999999.
If you are able to see the line in the above screenshot, this means that it will make the exploit extremely hard to perform (practically impossible). The above is a workaround to mitigating the Off-Path TCP attack in a CentOS 6.8 machine and will also work for redhat 6.8.
If you are not looking for the workaround but for a permanent fix, then you can upgrade your Linux kernel to 4.6 or above.
If this article helped you, do leave a comment below and like us on Twitter and Facebook. Cheers!
References: Redhat Portal, Redhat Shared Ack Vulnerability