SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   [Multiple Authors/Vendors]
Linux 2.4 Kernel Route Cache Flaw Allows Remote Users to Cause Denial of Service Conditions
SecurityTracker Alert ID:  1006775
SecurityTracker URL:  http://securitytracker.com/id/1006775
CVE Reference:   CVE-2003-0244   (Links to External Site)
Updated:  Dec 5 2003
Original Entry Date:  May 15 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.4, prior to 2.4.21-rc2
Description:   A vulnerability was reported in the Linux 2.4 operating system kernel route cache hash table. A remote user can send specially crafted packets to cause excessive CPU utilization and denial of service conditions.

It is reported that the kernel and the Netfilter IP conntrack module hash table implementations contain a flaw. Other hash table implementations within the kernel may also be affected. A remote user can send packets with specially crafted and invalid source addresses to cause hash collisions, with every routing cache entry hashed into the same hash chain. This will cause the kernel to consume excessive CPU resources and can result in denial of service conditions.

According to the report, on a target host using 1 GB of RAM, a stream of 400 packets per second can cause the host to freeze.

Impact:   A remote user can cause the kernel to freeze.
Solution:   The vendor has released a fixed version (2.4.21-rc2), available at:

http://www.kernel.org/

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Linux 2.4 Kernel Route Cache Flaw Allows Remote Users to Cause Denial of Service Conditions
Red Hat has released a fix.
(EnGarde Issues Fix) Re: Linux 2.4 Kernel Route Cache Flaw Allows Remote Users to Cause Denial of Service Conditions
Guardian Digital has released a fix for EnGarde Linux.
(Red Hat Issues Fix for Enterprise AS) Re: Linux 2.4 Kernel Route Cache Flaw Allows Remote Users to Cause Denial of Service Conditions
Red Hat has issued a fix for Red Hat Linux Advanced Server and Advanced Workstation.
Dec 5 2003 (Conectiva Issues Fix for Conectiva 8) Linux 2.4 Kernel Route Cache Flaw Allows Remote Users to Cause Denial of Service Conditions
Conectiva has added a fix for Conectiva 8.



 Source Message Contents

Subject:  Route cache performance under stress


http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417

List:     linux-kernel
Subject:  Route cache performance under stress
From:     Florian Weimer <fw () deneb ! enyo ! de>
Date:     2003-04-05 16:37:43

Please read the following paper:

<http://www.cs.rice.edu/~scrosby/tr/HashAttack.pdf>

Then look at the 2.4 route cache implementation.

Short summary: It is possible to freeze machines with 1 GB of RAM and
more with a stream of 400 packets per second with carefully chosen
source addresses.  Not good.

The route cache is a DoS bottleneck in general (that's why I started
looking at it).  You have to apply rate-limits in the PREROUTING
chain, otherwise a modest packet flood will push the machine off the
network (even with truly random source addresses, not triggering hash
collisions).  The route cache partially defeats the purpose of SYN
cookies, too, because the kernel keeps (transient) state for spoofed
connection attempts in the route cache.

The following patch can be applied in an emergency, if you face the
hash collision DoS attack.  It drastically limits the size of the
cache (but not the bucket count), and decreases performance in some
applications, but

--- route.c	2003/04/05 12:41:51	1.1
+++ route.c	2003/04/05 12:42:42
@@ -2508,8 +2508,8 @@
  		rt_hash_table[i].chain = NULL;
  	}

-	ipv4_dst_ops.gc_thresh = (rt_hash_mask + 1);
-	ip_rt_max_size = (rt_hash_mask + 1) * 16;
+	ipv4_dst_ops.gc_thresh = 512;
+	ip_rt_max_size = 2048;

  	devinet_init();
  	ip_fib_init();


(Yeah, I know, it's stupid, but it might help in an emergency.)

I wonder why the route cache is needed at all for hosts which don't
forward any IP packets, and why it has to include the source addresses
and TOS (for policy-based routing, probably).  Most hosts simply don't
face such complex routing decisions to make the cache a win.

If you don't believe me, hook a Linux box to a packet generator
(generating packets with random source addresses) and use iptables to
drop the packets, in a first test run in the INPUT chain (after route
cache), and in a second one in the PREROUTING chain (before route
cache).  I've observed an incredible difference (not in laboratory
tests, but during actual DoS attacks).

Netfilter ip_conntrack support might have similar issues, but you
can't use it in a uncooperative environment anyway, at least in my
experience.  (Note that there appears to be no way to disable
connection tracking while the code is in the kernel.)




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC