New ping-based attack



  • FYI. Article states that FreeBSD is among the affected

    https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/



  • Looks like it only effects FreeBSD 12, and in a more limited way than Linux. This isn't an issue with 2.4.4, which is based on 11.2
    EDIT: It's only an issue on 12 if you enable the new TCP RACK stuff, which is off by default.


  • Rebel Alliance Developer Netgate

    This isn't relevant to pfSense in any way, as far as I can tell.

    • It only affects FreeBSD 12, so it would not affect the current release, 2.4.4-p3, which is based on FreeBSD 11.2
    • It only affects the RACK TCP stack which is not used on pfSense 2.5.0 snapshots. This is an optional, non-default, TCP stack. The module for it is not built nor included in images.

    To use that stack, someone has to go out of their way to load the tcp_rack kernel module (which isn't on pfSense) and set net.inet.tcp.functions_default=rack (which on pfSense 2.5.0 is set to the default, freebsd)



  • @jimp said in New ping-based attack:

    This isn't relevant to pfSense in any way, as far as I can tell.

    • It only affects FreeBSD 12, so it would not affect the current release, 2.4.4-p3, which is based on FreeBSD 11.2
    • It only affects the RACK TCP stack which is not used on pfSense 2.5.0 snapshots. This is an optional, non-default, TCP stack. The module for it is not built nor included in images.

    To use that stack, someone has to go out of their way to load the tcp_rack kernel module (which isn't on pfSense) and set net.inet.tcp.functions_default=rack (which on pfSense 2.5.0 is set to the default, freebsd)

    Good to know. Thanks.


Log in to reply