'TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.'
This attack vector is not a particular threat because our implementation does not use services that are particularly vulnerable. No actionable work to be done.
The attack described in this CVE is difficult to implement because the attacker would need the following information:
- The source IP (easy enough)
- The destination IP
- The port number
- The sequence number
This attack pretty much requires a man-in-the middle attack. When this threat came out paranoia reigned supreme. CNN, for example, ran a story that this 'flaw' could shut down the internet…and yet the Internet remains. By and large, upstream routers and ClearOS' Intrusion Prevention Systems watch for and protect the information required to implement this attack.
You can read more about this in this very well formed statement on the matter:
If your site is using BGP, we suggest that you use MD5 or other encryption between your peers for the BGP messaging. Likely you are not using BGP and if you are, your provider likely already requires encryption in your configuration.
To ensure particular vectors or iterations of this vulnerability are not viable against ClearOS, ensure that you are using and subscribed to ClearCenter Intrusion Prevention updates.
Additionally, ensure that any long-lasting, persistent connections are properly firewalled in the ClearOS Custom Firewall Rules set where applicable.