TCP Flaw Lets Remote Attackers Stall Devices With Tiny DoS Attack

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

Ping of death

ping on my DAMN balls

SYN

ACK

SYN/ACK

suck: my DAMN balls

ACK

awwwwwwww yeahhhhhhhhhhh

RST

Re:Ping of death

You're angry because you have a tiny DoS.

Re:Ping of death

Yeah, but I got an email about enlarging it to a massive DoS.

Don't Look Over The Stall

It ain't pretty TCP over that other stall.

Tiny DoS Attack (refrain)

[93+Escort+Wagon]

Hold me closer, Tiny DoSser...
Count the packets on the (information super) highway,
Lay me down with TCP calls,
You've had a busy day today.

Re:Tiny DoS Attack (refrain)

Slow clap.

Re:Tiny DoS Attack (refrain)

Haha, love it.

Re:Tiny DoS Attack (refrain)

[93+Escort+Wagon]

Slow claps are the best claps!

Yeah even Linux has issues

I like Linux, if I hadn’t grew up on Windows I probably would use it more. Everything has flaws, its going to happen. Anyone who thinks something is perfect is lying.

Re:Yeah even Linux has issues

[ole_timer]

all things designed and built by humans have flaws...

Re:Yeah even Linux has issues

ZOMG!!! what wisdom...thank you so much. I'm glad I came here today.

Re: Yeah even Linux has issues

I fucking hat Linux but I love giving its users swirlies

Re: Yeah even Linux has issues

I'm confused, do you use RedHat or Debian?

Re:Yeah even Linux has issues

[DontBeAMoran]

I'm glad I came here today.

Eww... too much information.

Re: Yeah even Linux has issues

He fucks hats. Sounds like a shitty fetish.

Red Hat has termed the bug "Smegma Smack"

Users are bending over and preparing for an "exploit".

Why would this affect Apple?

Which Apple devices use a Linux kernel?

Re:Why would this affect Apple?

Um, do you think their data centers run iOS?

Re:Why would this affect Apple?

Yes, I heard they duct tape old iPhones together to make their servers.

Re:Why would this affect Apple?

[SirSlud]

+1, adorable

Re: Why would this affect Apple?

It also effects freebsd. MacOS X is also bsd derived, thos is a logical question to ask.

Re:Why would this affect Apple?

They use Solaris and AIX.

Not just Linux

The summary seems to suggest the TCP issue is primarily a Linux bug, but the FreeBSD team fixed this same issue earlier in the week. The bug is not limited to one kernel.

Re: Not just Linux

And then they died?

Re:Not just Linux

[DontBeAMoran]

If I have to switch from Mac OS X/macOS, I know which OS I'm going to use. The FreeBSD team seems quick to fix things.

Re: Not just Linux

Are we posting stupid questions?

Re:Not just Linux

All they did is add an option to limit reassembly queue size. Not a fix. Merely a workaround.

https://lists.freebsd.org/pipermail/freebsd-announce/2018-August/001837.html

Re:Not just Linux

[drinkypoo]

If you don't care about running a binary graphics driver, it's a fine choice. If you do, then Linux is your only non-Windows/OSX choice. If I had an antique graphics card I'd probably be happy with the free driver, but it's only one generation old and for full performance I still need a real driver.

Re: Not just Linux

I went out to *BSD's grave on Decoration Day. The old forgotten cemetery is to be found adjacent to the dark woods beyond the edge of town. There within olfactory distance of the municipal treatment plant you will find *BSD's final resting place.

*BSD's tombstone was shrouded by thick mosses and knots of noxious ivy. A mournful funerary crow sounded the requiem, as I gently pulled aside the tangled twists of thorns, and cleaned the decaying marker the best I could. A suffocating melancholia filled my heart, while I pondered that this indeed was *BSD's figurative charnel house of which so many have plaintively spoken.

Nothing is so pitiful as an untended grave, a loved one now forgotten. The short sad life of this doomed and fated OS makes us realize that there but for the grace of God go all of us.

I planted some wilting marigolds, found discarded in the waste heap behind the caretaker's shack, wishing that by some miracle these fleurs de mort might take root and bring a modicum of cheer to *BSD's God forsaken plot. My fervent hope is that the torpid colored boy, who so carelessly mows the grounds, doesn't slice them down, inadvertently mirroring *BSD's own doomed encounter with death's irresistible scythe.

Funny how things work out. Linux, that brilliant novam stellam, now runs the Internet and the world's fastest computers, while *BSD lies moldering within its forgotten crypt. Let the barren silence of *BSD's tomb be a mute reminder that hubris and braggadocio were no defense on that woeful day when the Angel of Death's bleak umbra was cast upon *BSD.

Re: Not just Linux

It's a valid fix of they weren't limiting queue sizes before.

Re:Not just Linux

Are they, now? https :// media.ccc.de/v/34c3-8968-are_all_bsds_created_equally

Re:Not just Linux

I prefer the open-source drivers. Usually, a proprietary driver has higher performance in benchmarks, but makes up for it in instability or inability to work with custom-compiled kernels.

A "high-performance" driver that crash the pc once a week is simply not interesting.

Re:Not just Linux

With zero security mitigations, it's not even "fine" as a server platform, in 21st century. See: HardenedBSD and why it exists.

Re:Not just Linux

The patch fixes the bug because it, by default, adds a size limit which stops the attack.

Related to yesterday's story?

The attacker must keep an open session, so the DoS goes both ways keeping both sides busy. It reminds me of yesterday's story of including bugs on purpose to distract your attackers. I'm just joking, but imagine if the bug was on purpose to DoS the attackers. :)

No, that was Saddam Hussein

He's buying thousands of old iPhone 2's to build a supercomputer to avoid embargoes.

TCP flaw?

[mi]

Did the find a flaw in the Transmission Control Protocol? Or in the Linux implementation of same? In the latter case, that's a Linux bug, not TCP.

Re:TCP flaw?

[tlhIngan]

Did the find a flaw in the Transmission Control Protocol? Or in the Linux implementation of same? In the latter case, that's a Linux bug, not TCP.

Most flaws found have been implementation flaws (e.g., xmas attack and others), I think the only real TCP flaw was SYN-flooding with spoofed hosts. Before everyone switched to syncookies, doing so would consume resources on the host for book-keeping of those half-open connections (until it timed out). Now that everyone uses syncookies to do the book-keeping of TCP half-open connections with zero overhead, it's not an issue.

Here it's a Linux/BSD issue where the stack hangs onto packets that arrive out of order until the buffers run out which forces the kernel to coalesce the packets to free up memory (which is an expensive operation). The fix is to recognize the situation and simply drop the packets - it's TCP, they're not acknowledged yet so dropping is the best thing to do.

Confused FUD?

I'm confused by this as I can't find any reference to the exploit itself?? Everything is regurgitated from the CVE itself which has no details... From what I gather this attack may have resurfaced in 4.9, but it's certainly not new. We were getting hit with this on IRC servers years ago. Also think this is being blown quite out of proportion since services should have countermeasures in place already by way of _basic_ timeouts.

tl;dr - Bad guys hide on the Internet and security vendors sell fear.

Fake news!

This is unpossible! Teh loonix is perfect and never has problems like this!

Linux Patch Link Here

[Wrath0fb0b]

Not sure why the editors didn't include the actual patch or technical details, but here's the thread. Click "Related" at the top to see the 5-part patch.

In short, looking at the patch, the DOS attacks the sequence/buffer for reordering TCP packets. Specifically, after sending lots of tiny packets with out of order sequence numbers, a couple things happen:

(1) There is an expensive operation to coalesce adjacent packets. This has to run through the entire out of order RB tree, and generally sucks. The fix avoids doing this until the OOO buffer is almost entirely full.

(2) When doing the collapse, keep track of how many 'tiny' packets there are and just bail out rather than continuing to do lots of operations/copies attempting to coalesce them.

(3) Once you've filled up the entire OOO buffer, Linux only drops just enough older packets to get under the boundary. This exacerbates the previous issues, as the attacker can keep the buffer entirely full. The patch changes this always drop in batches (1/8th of the memory) each time it's full.

Neat patch. Editors, next time can we get some real analysis?

Re:Linux Patch Link Here

Editors, next time can we get some real analysis?

Of course! You're hired.

P.S. Nice summary. +5, Informative. It also warms the cockles of my heart to see the /. tradition of heckling the editors continued.

Re:Linux Patch Link Here

.. the DOS attacks the sequence/buffer for reordering TCP packets. Specifically, after sending lots of tiny packets with out of order sequence numbers, a couple things happen:

Someone needs their head kicked in for this. It's gone by different names but Frag attacks are nothing new, hell linux by default _did_ have an upper limit. The "solution" is a clusterfuck, how in the world is that being committed??

TCP fragments are necessary in some networks. Next thing you know they will disable TSO because errmmgawd it too can be abused. News flash, it's an amplifier.

Re: Kernel update required??

[c6gunner]

You probably should have read the next two words, instead of just stopping at "4.9".

TFS's most interesting moniker for Oracle...

[ftobin]

The "Solaris slinger"

11 December 2016

Only 19 months for all those eyes looking at the open source to find it. Not too bad.

Re:Kernel update required??

And you had an update few days ago. Aren't you checking for updates and read their changelogs? Tsk tsk tsk. BAD user, you. USN-3732-1. Fixed.

Flaw?

Print hot butter into your switch Port can also create a DDOS -like affect on anything plugged into it.

ALERT! Get CERT! Butter has a networking "flaw".

Re:Kernel update required??

Linux kernel version 4.9 and up

what vanilla kernel versions affected?

It would be really useful to know which exact vanilla kernel versions are affected, like. up to 4.9.xxx, up to 4.14.yyy, , up to 4.17.zzz or at least "fixed in version 4.17.zzz". Distros that backport network patches will mean that that distros older than 4.9 could still be affected. Is there an informational page that actually helps people determine if they are affected, given their current vanilla kernel version or distro version?

Finally!

2018: Year of the Linux DoSTop! :-)

DOS 6.22

Only impacts DOS 6.22