Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Security Linux

TCP Flaw Lets Remote Attackers Stall Devices With Tiny DoS Attack (zdnet.com) 54

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port.
The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."
This discussion has been archived. No new comments can be posted.

TCP Flaw Lets Remote Attackers Stall Devices With Tiny DoS Attack

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Tuesday August 07, 2018 @06:43PM (#57088684)

    Hold me closer, Tiny DoSser...
    Count the packets on the (information super) highway,
    Lay me down with TCP calls,
    You've had a busy day today.

  • Not just Linux (Score:5, Informative)

    by Anonymous Coward on Tuesday August 07, 2018 @07:21PM (#57088852)

    The summary seems to suggest the TCP issue is primarily a Linux bug, but the FreeBSD team fixed this same issue earlier in the week. The bug is not limited to one kernel.

    • If I have to switch from Mac OS X/macOS, I know which OS I'm going to use. The FreeBSD team seems quick to fix things.

      • If you don't care about running a binary graphics driver, it's a fine choice. If you do, then Linux is your only non-Windows/OSX choice. If I had an antique graphics card I'd probably be happy with the free driver, but it's only one generation old and for full performance I still need a real driver.

    • Re:Not just Linux (Score:4, Informative)

      by Anonymous Coward on Tuesday August 07, 2018 @07:40PM (#57088936)

      All they did is add an option to limit reassembly queue size. Not a fix. Merely a workaround.

      https://lists.freebsd.org/pipermail/freebsd-announce/2018-August/001837.html

  • Did the find a flaw in the Transmission Control Protocol? Or in the Linux implementation of same? In the latter case, that's a Linux bug, not TCP.

    • by tlhIngan ( 30335 )

      Did the find a flaw in the Transmission Control Protocol? Or in the Linux implementation of same? In the latter case, that's a Linux bug, not TCP.

      Most flaws found have been implementation flaws (e.g., xmas attack and others), I think the only real TCP flaw was SYN-flooding with spoofed hosts. Before everyone switched to syncookies, doing so would consume resources on the host for book-keeping of those half-open connections (until it timed out). Now that everyone uses syncookies to do the book-keeping of TCP

  • by Wrath0fb0b ( 302444 ) on Tuesday August 07, 2018 @09:56PM (#57089430)

    Not sure why the editors didn't include the actual patch or technical details, but here's the thread [ozlabs.org]. Click "Related" at the top to see the 5-part patch.

    In short, looking at the patch, the DOS attacks the sequence/buffer for reordering TCP packets. Specifically, after sending lots of tiny packets with out of order sequence numbers, a couple things happen:

    (1) There is an expensive operation to coalesce adjacent packets. This has to run through the entire out of order RB tree, and generally sucks. The fix avoids doing this until the OOO buffer is almost entirely full.

    (2) When doing the collapse, keep track of how many 'tiny' packets there are and just bail out rather than continuing to do lots of operations/copies attempting to coalesce them.

    (3) Once you've filled up the entire OOO buffer, Linux only drops just enough older packets to get under the boundary. This exacerbates the previous issues, as the attacker can keep the buffer entirely full. The patch changes this always drop in batches (1/8th of the memory) each time it's full.

    Neat patch. Editors, next time can we get some real analysis?

  • by ftobin ( 48814 ) on Wednesday August 08, 2018 @02:57AM (#57090142) Homepage

    The "Solaris slinger"

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...