Skip to content

Chef cookbook with persistent syctl fix for TCP SACK DoS vulnerability

License

Notifications You must be signed in to change notification settings

sonoransun/tcp_sack_fix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Fix CVE-2019-11477 SACK Panic Denial of Service

Introduction

This cookbook is a useful example of basic chef functionality. Consisting of just two components, the metadata and the recipe, it is a good example for teaching core chef concepts.

Default Recipe

The default recipe sets a sysctl variable:

net.ipv4.tcp_sack = 0

With SACK disabled, the DoS attack described in TCP SACK PANIC - Kernel vulnerabilities is mitigated.

Usage

Per usual, upload the cookbook to your chef server:

$ knife upload ./tcp_sack_fix

Then add to the run list for your Linux clients or a common role they share.

Confirmation

Use the sysctl utility for confirmation that the change has been applied.

$ sysctl net.ipv4.tcp_sack
net.ipv4.tcp_sack = 0

About

Chef cookbook with persistent syctl fix for TCP SACK DoS vulnerability

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages