Hello, welcome to the Tuesday, June 18th, 2019 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich Entertainment recording from Washington, D.C.

Netflix reported a number of different vulnerabilities in Linux and free BSD kernels that can be used to trigger

kernel panic. These vulnerabilities are related to the TCP Selective Acknowledgement feature.

TCP Selective Acknowledgement is a TCP option that can be used in order to acknowledge out-of-order TCP segments.

Without selective acknowledgement, TCP can only acknowledge the last complete set of segments received,

indicating the next segment, the next next bite really it's expecting to

receive with selective acknowledgement any future discontinuous segments that are

received can also be acknowledged which of course improves performance somewhat. Well the problem here is that

any recent Linux kernel doesn't actually do this quite correctly if extremely small segments

are received and as a result this can trigger a kernel panic leading essentially to a

relatively simple to exploit remote denial of service attack. Some compared it to a ping

of death which isn't quite wrong well it's TCP not ICMP but other than that the impact

is somewhat similar. So how do you offend against this?

Well, apply the patch or if you don't want to patch right now, you can also just disable

selective acknowledgments in your Linux kernel. That's not terribly hard to do, just a simple

setting in the proc file system

and probably not going to affect performance by a lot. From a network defense point of view,

it looks like the attack, at least the denial of service attack, does require packets with a

maximum segment size of 48 bytes.

This is an extremely small value and according to the RFC, that value actually should not be less than 536 bytes.

So if you have the ability to filter on TCP options, then filtering anything with a maximum segment size of less than 536 should be reasonably safe.

...