The TCP / IP protocol suite, developed under the patronage of the United States Department of Defense, has generated inherent security issues to the protocol design or to most TCP / IP implementations.
Since it has been revealed that hackers use these vulnerabilities to perform various attacks on systems. Typical problems exploited in the TCP / IP suite of protocols are IP spoofing, port scanning, and denials of service.
The Netflix researchers have discovered 4 flaws that could wreak havoc in data centers. These vulnerabilities have recently been discovered in Linux and FreeBSD operating systems. They allow hackers to lock down servers and disrupt remote communications.
About the bugs found
The most serious vulnerability, called SACK Panic, can be exploited by sending a selective TCP acknowledgment sequence specifically designed for a vulnerable computer or server.
The system will react by crashing or entering the Kernel Panic. Successful exploitation of this vulnerability, identified as CVE-2019-11477, results in a remote denial of service.
Denial of service attacks attempt to consume all critical resources on a target system or network so that they are not available for normal use. Denial of service attacks are considered a significant risk because they can easily disrupt a business and are relatively simple to perform.
A second vulnerability also works by sending a series of malicious SACKs (malicious confirmation packets) that consume the computing resources of the vulnerable system. The operations normally work by fragmenting a queue for retransmission of TCP packets.
Exploitation of this vulnerability, tracked as CVE-2019-11478, severely degrades system performance and can potentially cause a complete denial of service.
These two vulnerabilities exploit the way operating systems handle the above-mentioned Selective TCP Awareness (SACK for short).
SACK is a mechanism that allows a communication recipient's computer to tell the sender which segments have been sent successfully, so that those that have been lost can be returned. The vulnerabilities work by overflowing a queue that stores received packets.
The third vulnerability, discovered in FreeBSD 12 and identifying CVE-2019-5599, It works the same way as CVE-2019-11478, but it interacts with the RACK sending card of this operating system.
A fourth vulnerability, CVE-2019-11479., Can slow down affected systems by reducing the maximum segment size for a TCP connection.
This configuration forces vulnerable systems to send responses over multiple TCP segments, each of which contains only 8 bytes of data.
The vulnerabilities cause the system to consume large amounts of bandwidth and resources to degrade system performance.
The aforementioned variants of denial of service attacks include ICMP or UDP floods, which can slow down network operations.
These attacks cause the victim to use resources such as bandwidth and system buffers to respond to attack requests at the expense of valid requests.
Netflix researchers discovered these vulnerabilities and they announced them publicly for several days.
Linux distributions have released patches for these vulnerabilities or have some really useful configuration tweaks that mitigate them.
Solutions are to block connections with a low maximum segment size (MSS), disable SACK processing, or quickly disable the TCP RACK stack.
These settings can disrupt authentic connections, and if the TCP RACK stack is disabled, an attacker could cause costly chaining of the linked list for subsequent SACKs acquired for a similar TCP connection.
Finally, let's remember that the TCP / IP protocol suite has been designed to work in a reliable environment.
The model has been developed as a set of flexible, fault-tolerant protocols that are robust enough to avoid failures in the event of one or more node failures.