Bug 206945

Summary: aaa
Product: Networking Reporter: fengxw18
Component: IPV4Assignee: Stephen Hemminger (stephen)
Severity: high    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: since kernel 3.9 Tree: Mainline
Subsystem: Regression: No

Description fengxw18 2020-03-25 08:49:38 UTC
Through sending a forged ICMP "Fragmentation Needed" message to the Linux host,
an off-path attacker can clear the DF (Don't Fragment) flag in IP header, thus
downgrading the IPID assignment for TCP datagrams from the more secure per-socket
based counter to hash based counter (since kernel version 3.9). Then the attacker
can detect a shared IPID counter via hash collisions, which forms a side-channel.
By observing the side channel, the attacker can hijack TCP connections on
the vulnerable Linux host completely off-path.
Comment 1 fengxw18 2020-03-25 09:15:34 UTC

*** This bug has been marked as a duplicate of bug 1 ***