Re: Just Linux?
"Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"
Sadly, not. The problem is that since the total number of challenges is rate limited, an attacker can deduce the number of challenges sent on attempts to spoof valid connections. So instead of having to guess port number tuples, the attacked system will now tell you.
In order to make blind guessing less effective, we will now let you know when you are getting close. Sadly, a small flaw in an attempt at hardening has made things worse.
Biting the hand that feeds IT
