CVE-2018-5391: adjusted the values for fragmentation reassembly to re…

…commended values

CVE-2018-5391 (FragmentSmack)

    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker can take advantage of this flaw to trigger time and
    calculation expensive fragment reassembly algorithms by sending
    specially crafted packets, leading to remote denial of service.

    This is mitigated by reducing the default limits on memory usage
    for incomplete fragmented packets.  The same mitigation can be
    achieved without the need to reboot, by setting the sysctls:

    net.ipv4.ipfrag_high_thresh = 262144
    net.ipv6.ip6frag_high_thresh = 262144
    net.ipv4.ipfrag_low_thresh = 196608
    net.ipv6.ip6frag_low_thresh = 196608

sysctl.conf

@@ -230,9 +230,11 @@ net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_max_orphans = 16384
 net.ipv4.tcp_orphan_retries = 0
 
-# Increase the maximum memory used to reassemble IP fragments
-net.ipv4.ipfrag_high_thresh = 512000
-net.ipv4.ipfrag_low_thresh = 446464
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
 
 # don't cache ssthresh from previous connection
 net.ipv4.tcp_no_metrics_save = 1