1. Home
  2. Forums Index
  3. Server Side / Linux, Unix, and *nix like Operating Systems 2:53 am May 21, 2026

Forum Moderators: bakedjake

Message Too Old, No Replies

Linux Servers TCP Flaw Allows Web Traffic Hijacking

         

engine

3:28 pm on Aug 11, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



A proof of concept exploit shows that an attack takes only 10-seconds where the hacker can accurately guess and extract TCP packet sequence numbers exchanged between two hosts. No Man in the Middle position is required.

It's not clear how this might be closed as it's part of the implementation of RFC 5961 standard.

The vulnerability affects all Linux kernel versions between v3.6 and up to v4.7 and existed in the Linux kernel for the past four years. At the heart of the problem is the design of the RFC 5961, a standard that dictates how TCP connections are established between two hosts.

Read more: [news.softpedia.com...]
Linux Servers TCP Flaw Allows Web Traffic Hijacking [news.softpedia.com]

graeme_p

3:50 pm on Aug 11, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



"An attacker which knows a connections client IP, server IP and server port can abuse the challenge ACK mechanism
to determine the accuracy of a normally 'blind' attack on the client or server."

Not going to be a common attack, then.

May affect other OSes.

https helps, but does not prevent a DDOS using it.

lammert

3:53 pm on Aug 11, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



After reading the security alert, it seems that more recent versions of the Linux kernel do not properly keep track of incoming ACK segments, making it possible to fire a number of bogus packets to the server from an attacking computer in order to hijack an existing TCP connection between that server and a third party.

After that it is possible to inject malicious packets in the existing data stream between those two computers. Before this attack will work the attacking computer must know the IP addresses of the two parties who are actively communicating with each other at the moment of the attack. Therefore this attack is most useful to inject malicious packets in persistent communications between servers. Attacking a client connecting on an ad hoc basis with servers while surfing on the internet is much more difficult because the attack can only be successful during an existing TCP connection. DOS-ing the TOR network which uses a number of servers with fixed IP addresses is a feasible option as is mentioned in the page engine linked to.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Linux, Unix, and *nix like Operating Systems 2:53 am May 21, 2026