Linux DDoS

Maintainers behind the Linux kernel have rolled out patches in the past weeks for two bugs that are just ideal for causing havoc via DDoS attacks.

Both bugs affect the Linux kernel's TCP stack and are known to trigger excessive resource usage in Linux-based systems.

Exploiting both bugs requires sending malformed TCP or IP packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers a resource exhaustion operation (increased CPU and RAM use) that leads to a reboot of the affected system.

SegmentSmack and FragmentSmack

The two bugs are known as SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391).

Attackers can exploit SegmentSmack via a specially crafted stream of TCP segments, while FragmentSmack requires a specially crafted stream of IP datagrams.

The source of the problem for SegmentSmack resides in the tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions, while FragmentSmack occurs because of the way the Linux kernel handles reassembly of fragmented IPv4 and IPv6 packets.

Devices running Linux kernel 4.9 and later are vulnerable to SegmentSmack, while devices running Linux kernel 3.9 and later are vulnerable to FragmentSmack.

Just ideal for DoS/DDoS attacks

Because we're talking about TCP and IP packets here, this also means these vulnerabilities can be exploited remotely, and are ideal for weaponizing as part of DoS or DDoS attacks.

No proof of concept code is currently available online, which somewhat reduces the immediate danger to device owners.

The Linux kernel project has released an updated version that includes fixes for both [1, 2]. Companies and open source projects that use the Linux kernel for their custom operating systems will have to update the Linux kernel they use to include these two updates.

The major Linux distros like Debian, Red Hat, Ubuntu, and others have already shipped updates, as well as the Android OS. Vendors of Linux-based SOHO routers will probably be slower in incorporating these updates. ISP-grade routers, firewall providers, cloud services, and hosting firms will also have to ship or deploy updates.

For cases where a patch can't be applied just yet for the FragmentSmack vulnerability, the Debian team recommends the following temporary mitigation:

Change the default values of net.ipv4.ipfrag_high_thresh and net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or below.

Patch information for SegmentSmack can be found here, while FragmentSmack patch info should be available in the future here or here, as it was only recently patched and information will be available later.

Juha-Matti Tilli, a researcher with Nokia Labs and the Department of Communications and Networking at the Aalto University, was credited with discovering both bugs.

Related Articles:

Critical Forminator plugin flaw impacts over 300k WordPress sites

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

PuTTY SSH client flaw allows recovery of cryptographic private keys

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks