Hacker News new | past | comments | ask | show | jobs | submit login

Correct. It does completely prevent the attack for IPv4, however, so we didn't notice the attack until the rp_filter settings were changed.

I can verify that turning rp_filter on in my use case is an acceptable solution on Manjaro and Ubuntu.

EDIT: To clear up the confusion below, I was saying that setting the rp_filter variable to strict mode does prevent this attack from working against IPv4, and in my situation, this is enough since I am not using IPv6 or any complicated routing on my network etc.




I don't understand why it would be different for IPv6. are you just referring to the fact that there is no sysctl for reverse path filtering for IPv6? does it still work with ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP?


I'm confused!

You write that turning rp_filter to 0 or 1 prevents the attack? While the report says that parts of the attack can't be accomplished.

Does it completely prevent the attack, or only parts of it? This isn't clear when reading this comment, and the initial oss-sec disclosure.

Important as Arch Linux is contemplating possible patching or not.


They edited their comment to clarify that only strict mode ("2") prevents the attack, against IPv4.


2 is loose. 1 is strict.


Mea culpa. 1 it is.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: