Slashdot Mirror
TCP Flaw Lets Remote Attackers Stall Devices With Tiny DoS Attack (zdnet.com)
An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".
It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."
It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."
The summary seems to suggest the TCP issue is primarily a Linux bug, but the FreeBSD team fixed this same issue earlier in the week. The bug is not limited to one kernel.
Not sure why the editors didn't include the actual patch or technical details, but here's the thread. Click "Related" at the top to see the 5-part patch.
In short, looking at the patch, the DOS attacks the sequence/buffer for reordering TCP packets. Specifically, after sending lots of tiny packets with out of order sequence numbers, a couple things happen:
(1) There is an expensive operation to coalesce adjacent packets. This has to run through the entire out of order RB tree, and generally sucks. The fix avoids doing this until the OOO buffer is almost entirely full.
(2) When doing the collapse, keep track of how many 'tiny' packets there are and just bail out rather than continuing to do lots of operations/copies attempting to coalesce them.
(3) Once you've filled up the entire OOO buffer, Linux only drops just enough older packets to get under the boundary. This exacerbates the previous issues, as the attacker can keep the buffer entirely full. The patch changes this always drop in batches (1/8th of the memory) each time it's full.
Neat patch. Editors, next time can we get some real analysis?