Apparently linux,BSD,and macOS are all affected.
Which hasnt even made it to the arch security list yet:
According to the article though Arch and Manjaro are among those currently vulnerable.
Mitigation is possible according to the researchers and it can be potentially achieved by turning reverse path filtering on, by using bogon filtering —filtering bogus (fake) IP addresses — or with the help of encrypted packet size and timing.
Checkup and mitigation
( from posting https://seclists.org/oss-sec/2019/q4/122 )
- Turning reverse path filtering on
Potential problem: Asynchronous routing not reliable on mobile devices,
etc. Also, it isn’t clear that this is actually a solution since it
appears to work in other OSes with different networking stacks. Also,
even with reverse path filtering on strict mode, the first two parts of
the attack can be completed, allowing the AP to make inferences about
active connections, and we believe it may be possible to carry out the
entire attack, but haven’t accomplished this yet.
- Bogon filtering
Potential problem: Local network addresses used for vpns and local
networks, and some nations, including Iran, use the reserved private IP
space as part of the public space.
- Encrypted packet size and timing
Since the size and number of packets allows the attacker to bypass the
encryption provided by the VPN service, perhaps some sort of padding
could be added to the encrypted packets to make them the same size.
Also, since the challenge ACK per process limit allows us to determine
if the encrypted packets are challenge ACKs, allowing the host to
respond with equivalent-sized packets after exhausting this limit could
prevent the attacker from making this inference.
We have prepared a paper for publication concerning this
vulnerability and the related implications, but intend to keep it
embargoed until we have found a satisfactory workaround. Then we will
report the vulnerability to oss-security () lists openwall com. We are
also reporting this vulnerability to the other services affected, which
also includes: Systemd, Google, Apple, OpenVPN, and WireGuard, in
addition to distros () vs openwall org for the operating systems affected.
Something like the following should be an easy check for the reverse path filtering:
if the value returned is a '1' then everything is fine. a 0 would require changes.
Particularly changes to
The following would enable 'reverse path filtering':
net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1
/etc/sysctl.conf or more preferably somewhere like