Tux's lil' helper
Joined: 19 Feb 2011
Location: Teika rhymes w/ "Stay blur", not ψ̄
|Posted: Thu Aug 16, 2018 4:40 am Post subject: [Tip] How to mitigate DoS from CVE-2018-5391 kernel problem
|This debian page about CVE-2018-5391 suggests you to set:
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
You can do it by modifying /etc/sysctl.conf (see "man 8 sysctl"), or with:
/bin/echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
/bin/echo 196608 > /proc/sys/net/ipv6/ip6frag_low_thresh
/bin/echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
/bin/echo 262144 > /proc/sys/net/ipv6/ip6frag_high_thresh
Don't ask me its meaning ;-) I only know how to achieve it.
The above page says it'll mitigate a kernel flaw that can lead to DoS.
Hope this helps. Best regards.