Uhlelo olandelwayo lwe-TCP / IP, yathuthukiswa ngaphansi kwesandla soMnyango Wezokuvikela wase-United States, kukhiqize izingqinamba zemvelo zokuphepha ekwakhiweni kweprotocol noma ekusetshenzisweni okuningi kwe-TCP / IP.
Njengoba sekuveziwe ukuthi abaduni basebenzisa lobu bungozi ukwenza ukuhlaselwa okuhlukahlukene kumasistimu. Izinkinga ezijwayelekile ezixhashazwe kuhlelo lwe-TCP / IP lwamaphrothokholi yi-IP spoofing, ukuskena kwetheku, nokwenqatshelwa kwensizakalo.
I-Los Abaphenyi beNetflix bathole amaphutha ama-4 lokho kungadala umonakalo ezikhungweni zedatha. Lokhu kuba sengozini kusanda kutholakala ezinhlelweni ezisebenza zeLinux neFreeBSD. Bavumela abaduni ukuba bavale amaseva baphazamise ukuxhumana okukude.
Mayelana nezimbungulu ezitholakele
Ukuba sengozini okukhulu kakhulu, okubizwa nge- I-SACK Panic, ingasetshenziswa ngokuthumela ukulandelana kokuvuma kwe-TCP okukhethiwe yakhelwe ngqo ikhompyutha noma iseva esengozini.
Uhlelo luzosabela ngokushayisa noma ngokungena kuKernel Panic. Ukuxhashazwa ngempumelelo kwalobu bucayi, obukhonjwe njenge-CVE-2019-11477, kuholela ekwenqabeni insizakalo okude.
Ukwenqatshwa kokuhlaselwa kwensizakalo kuzama ukusebenzisa yonke imithombo ebalulekile kusistimu eqondisiwe noma kwinethiwekhi ukuze zingatholakali ukuze zisetshenziswe ngokujwayelekile. Ukwenqaba ukuhlaselwa kwezinsizakalo kubhekwa njengengozi enkulu ngoba kungaphazamisa ibhizinisi kalula futhi kulula ukwenza.
Ukuba sengozini kwesibili kusebenza ngokuthumela uchungechunge lwama-SACK anonya (amaphakethe okuqinisekisa anonya) asebenzisa izinsiza zekhompyutha zohlelo olusengozini. Imisebenzi isebenza ngokujwayelekile ngokuhlukanisa ulayini wokuphindiselwa kwamaphakethe we-TCP.
Ukusetshenziswa kwalokhu kuba sengozini, okulandelwa njenge-CVE-2019-11478, yehlisa isithunzi ukusebenza kohlelo futhi ingadala ukuphikwa ngokuphelele kwensizakalo.
Lokhu kuba sengozini okubili kuxhaphaza indlela izinhlelo zokusebenza eziphatha ngayo Ukuqwashisa okukhethiwe kwe-Selective TCP (SACK ngamafuphi).
I-SACK yindlela evumela ikhompyutha yomamukeli wezokuxhumana ukuthi itshele umthumeli ukuthi yiziphi izingxenye ezithunyelwe ngempumelelo, ukuze lezo ezilahlekile zibuyiswe. Ukuba sengozini kusebenza ngokugcwala kulayini lapho izitolo zathola amaphakethe.
Ukuba sengozini kwesithathu, kutholakale kuFreeBSD 12 nokuhlonza i-CVE-2019-5599, isebenza ngendlela efanayo ne-CVE-2019-11478, kepha ixhumana nekhadi lokuthumela i-RACK yalolu hlelo lokusebenza.
Ukuba sengozini kwesine, i-CVE-2019-11479., Kunganciphisa izinhlelo ezithintekile ngokunciphisa usayizi wamasegmenti aphezulu wokuxhumeka kwe-TCP.
Lokhu kulungiselelwa kuphoqa amasistimu asengozini ukuthumela izimpendulo ngaphezulu kwamasegmenti e-TCP amaningi, ngalinye eliqukethe ama-byte ayisishiyagalombili wedatha.
Ukuba sengozini kubangela ukuthi uhlelo lisebenzise inani elikhulu lomkhawulokudonsa nezinsizakusebenza zokwehlisa ukusebenza kohlelo.
Izinhlobo ezibalulwe ngenhla zokwenqaba ukuhlaselwa kwezinsizakalo zifaka phakathi izikhukhula ze-ICMP noma ze-UDP, enganciphisa ukusebenza kwenethiwekhi.
Lokhu kuhlaselwa kubangela isisulu ukuthi sisebenzise izinsiza ezifana ne-bandwidth kanye ne-system buffers ukuphendula izicelo zokuhlasela ngezicelo ezivumelekile.
Abaphenyi beNetflix bathole lobu bungozi futhi bazimemezela obala izinsuku eziningana.
Ukusatshalaliswa kweLinux kukhiphe amabala alesi sengozini noma kunama-tweaks wokusetha awusizo ngempela awanciphisayo.
Izixazululo ukuvimba ukuxhumana ngosayizi wengxenye ephansi kakhulu (i-MSS), khubaza ukucubungula kwe-SACK, noma ukhubaze ngokushesha isitaki se-TCP RACK.
Lezi zilungiselelo zingaphazamisa ukuxhumana kwangempela, futhi uma isitaki se-TCP Rack sikhutshaziwe, umhlaseli angadala ukuboshwa ngamanani abizayo kohlu oluxhunyiwe lwama-SACKs alandelayo atholakele ukuxhumana okufanayo kwe-TCP.
Ekugcineni, masikhumbule ukuthi uhlelo olandelwayo lwe-TCP / IP lwenzelwe ukusebenza endaweni ethembekile.
Imodeli yathuthukiswa njengeqoqo lezinqubo eziguquguqukayo, ezibekezelela amaphutha eziqinile ngokwanele ukugwema ukwehluleka uma kwenzeka ukwehluleka okukodwa noma okuningi kwe-node.