Ben Voigt's questions

The Linux kernel vulnerability CVE-2016-5696 disclosed last week affects a lot of devices, and a network administrator may not have root access to all of them (if owned by customer, or in the case of Android, root is held by the manufacturer and not the owner). It's unreasonable to think that patches will be coming anytime soon for all of these devices, and without root it isn't even possible to increase the global rate limit to mitigate the side channel.

However, the attack relies on the attacker being able to intentionally trigger a number of challenge-ACK packets back to themselves, in order to see whether the one on the spoofed connection causes the limit to be reached. If a border firewall were to restrict the number of challenge-ACK packets returning to an attacker to a lower number than the limit on the device being attacked, the information leak would be plugged.

For example, if a vulnerable device has a default global rate limit of 100, then implementing a per-node rate limit of 20 at a border router would prevent an outside attacker from executing the off-path attack, even if the device and firewall clock are not synchronized (best attacker can do is 20 at the end of one second followed immediately by 40 in the next, far short of the 100 that the attacked device is configured to send). Local devices could still communicate without being affected by the rate limit.

How would one implement such a mitigation using iptables on a Linux firewall running kernel version 4.x? What packets should be matched, what modules would keep track of the per-node rate and allow limiting?

Is it possible to detect an ongoing attack by counting challenge ACK packets (does the firewall have enough information to distinguish them?) and then blackhole the attacker? (This probably could not be accomplished using iptables alone, but using a reactive rule generator)

Detecting challenge-ACK packets may be a prerequisite, in order to not throttle ACK packets coming from the true peer.

Note: I am asking about outbound concurrent connection limits, not inbound, which is sufficiently covered on existing questions

Modern browsers typically open a large number of simultaneous connections, to take advantage of the fact that TCP fairly shares bandwidth between connections. Of course, this doesn't result in fair sharing between users, so some servers have started penalizing hosts which open too many connections. This limit can be configured client-side (e.g. IE MaxConnectionsPerServer, Firefox network.http.max-connections-per-server), but the method differs for each browser and version, and many users aren't competent to adjust it themselves. So we turn to a squid transparent HTTP proxy for central management of HTTP download.

How can the number of simultaneous connections from squid to a remote webserver be limited, so the webserver doesn't perceive it as abuse of concurrent connections? Ideally the limit would be per source address. Squid should accept virtually unlimited concurrent requests from the client browser, and issue them sequentially to the remote server, only N at a time to each server, delaying (but not dropping) the others.

All the Ethernet switches and access points on my network provide snmp access to the bridge learn table except for my linux-based bridge.

Does net-snmp support exporting the bridge forwarding database via snmp? This is BRIDGE-MIB defined in RFC 1493 (or even better, Q-BRIDGE-MIB defined in RFC2674). What snmpd configuration options are needed to make this work? Do I need to build and deploy some of the optional agents?

Is there a better way to remotely gather the information displayed by brctl showmacs br0 (specifically, the list of learned MAC addresses and the port number via which each is reachable)?

I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps traffic). Apparently snort provides a -r option for this purpose, but I can't get the analysis to run.

The analysis system is gentoo, amd64, in case that makes any difference. I've already used oinkmaster to download the latest IDS signatures. But when I try to run snort, I keep getting the following error:

% snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 IPv6 GRE (Build 98) x86_64-linux
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.11 2010-12-10
           Using ZLIB version: 1.2.5

%> snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/

(snip)

273 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 314
|     1 byte states : 304
|     2 byte states : 10
|     4 byte states : 0
| Characters        : 69371
| States            : 58631
| Transitions       : 3471623
| State Density     : 23.1%
| Patterns          : 3020
| Match States      : 2934
| Memory (MB)       : 29.66
|   Patterns        : 0.36
|   Match Lists     : 0.77
|   DFA
|     1 byte states : 1.37
|     2 byte states : 26.59
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 563 ]
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..

net-libs/daq is installed, but I don't even want to capture traffic, I just want to process the capture file.

What configuration options should I be setting/unsetting in order to do offline analysis instead of real-time capture?

I'm planning updates to a system that is currently running with 8.x server on Windows, 8.x client on Windows, and 8.x client on Linux. Obviously that seems like a bad choice of platform in a mixed environment, but the Linux machine has no persistent writable storage (as an anti-rootkit measure). I'm concerned with compatibility between versions right now.

Can a linux postgresql 9.0.x client connect to a Windows 8.x server? The server is using some third-party binary extensions, so upgrading it is a more involved task and will be done later.

If combining a 9.0.x client and 8.x server is discouraged, would latest 8.x clients be able to continue to connect if I did upgrade the server first?

META: What tag is appropriate for backward-compatibility questions?