Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
An XCCDF Rule
Description
Make sure that the system is configured to limit the maximal rate for sending
duplicate acknowledgments in response to incoming TCP packets that are for
an existing connection but that are invalid due to any of these reasons:
(a) out-of-window sequence number, (b) out-of-window acknowledgment number,
or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
This measure protects against or limits effects of DoS attacks against the system.
Set the system to implement rate-limiting measures by adding the following line to
/etc/sysctl.conf
or a configuration file in the /etc/sysctl.d/
directory
(or modify the line to have the required value):
net.ipv4.tcp_invalid_ratelimit =Issue the following command to make the changes take effect:
# sysctl --system
Rationale
Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or
malicious middlebox or man-in-the-middle can rewrite TCP header fields in
manner that causes each endpoint to think that the other is sending invalid
TCP segments, thus causing each side to send an unterminating stream of
duplicate acknowledgments for invalid segments.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/