Skip to content
/ tcp_sack_fix Public

Chef cookbook with persistent syctl fix for TCP SACK DoS vulnerability

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sonoransun/tcp_sack_fix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
recipes
recipes
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
metadata.rb
metadata.rb
 
 

Repository files navigation

Fix CVE-2019-11477 SACK Panic Denial of Service

Introduction

This cookbook is a useful example of basic chef functionality. Consisting of just two components, the metadata and the recipe, it is a good example for teaching core chef concepts.

Default Recipe

The default recipe sets a sysctl variable:

net.ipv4.tcp_sack = 0

With SACK disabled, the DoS attack described in TCP SACK PANIC - Kernel vulnerabilities is mitigated.

Usage

Per usual, upload the cookbook to your chef server:

$ knife upload ./tcp_sack_fix

Then add to the run list for your Linux clients or a common role they share.

Confirmation

Use the sysctl utility for confirmation that the change has been applied.

$ sysctl net.ipv4.tcp_sack
net.ipv4.tcp_sack = 0

About

Chef cookbook with persistent syctl fix for TCP SACK DoS vulnerability

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages