On August 10, 2016, a serious vulnerability in Linux operating system kernel was demonstrated at the 25th USENIX security symposium. This vulnerability, documented in CVE-2016-5696 and labeled the “Off-Path TCP Exploit”, can allow attackers to terminate connections between vulnerable Linux hosts and inject malicious payloads into the communication if the connections are not encrypted.
According to the researchers who demonstrated the vulnerability: “The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets. The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012. At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets.”
In order to protect our customers and our network against “Off-Path” attacks, Verizon Digital Media Services has raised the rate limit on challenge ACKs across its global CDN network.
For more information about the vulnerability, please see the USENIX presentation. For comprehensive protection, customers are advised to take mitigation measures on their origin-server infrastructure.
Ali Fedaei, Security Engineer
Scott Schroeder, Infrastructure Engineer