UCR researchers show how communications involving Linux and Android systems can be compromised quickly, easily and from anywhere Researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012 that enables attackers to hijack users\u2019 internet communications completely remotely. How Dangerous is the vulnerability ? Such a weakness could be used to launch targeted attacks that track users\u2019 online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor. Are you in Danger ? While most users don\u2019t interact directly with the Linux operating system, the software runs behind-the scenes on internet servers, android phones and a range of other devices. To transfer information from one source to another, Linux and other operating systems use the Transmission Control Protocol (TCP) to package and send data, and the Internet Protocol (IP) to make sure the information gets to the correct destination. The UCR researchers didn\u2019t rely on chance, though. Instead, they identified a subtle flaw (in the form of \u2018side channels\u2019) in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties. Temporary Fix for Vulnerability The following temporary patch that can be applied to both client and server hosts. It simply raises the `challenge ACK limit\u2019 to an extremely large value to make it practically impossible to exploit the side channel. This can be done on Ubuntu, for instance, as follows: \tOpen \/etc\/sysctl.conf, append a command \u201cnet.ipv4.tcp_challenge_ack_limit 999999999\u201d. \tUse \u201csysctl -p\u201d to update the configuration. Demo Video https:\/\/www.youtube.com\/watch?vb2C5P0dEBTM Download Attack Paper and How this Hack Works : Read the Technical Paper Here. Once you finish reading it , this might summarize it : \tThe hard part of taking over a TCP connection is to guess the source port of the client and the current sequence number \tThe global rate limit for sending Challenge ACK's (100\/s in Linux) introduced together with Challenge ACK (RFC5961) makes it possible in the first step to guess a source port used by the clients connection and in the next step to guess the sequence number. The main idea is to open a connection to the server and send with the source of the attacker as much RST packets with the wrong sequence mixed with a few spoofed packets. By counting how much Challenge ACK get returned to the attacker and by knowing the rate limit one can infer how much of the spoofed packets resulted in a Challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can can quickly narrow down which values of port and sequence are correct. This attack can be done within a few seconds. \tAnd of course the attacker need to be able to spoof the IP address of the client which is not true in all environments. It might be possible in local networks (depending on the security measures) but ISP will often block IP spoofing when done from the usual DSL\/cable\/mobile accounts. \tBut to really understand the attack you need to understand what Challenge ACK's are used (defend against off-path TCP RST) and how they work. Thus it might be useful to read the RFC 5961 too. Common Vulnerabilities and Exposures CVE-2016-5696:\u00a0net\/ipv4\/tcp_input.c in the Linux kernel before 4.7 does not properly find the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.