Vigil@ance: Linux kernel, denial of service via RTO
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When a Linux 2.6.32.x system proposes a TCP service, an attacker can force an error in the computation of the RTO (Retransmission Timeout), which overloads the system.
Consequences: denial of service of computer
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/02/2010
DESCRIPTION OF THE VULNERABILITY
Since kernel version 2.6.32, the RTO (Retransmission Timeout)
computation method changed. This timeout is computed from:
information in the TCP Timestamp option
the transit duration of first bytes
However, if the system did not receive a TCP Timestamp option nor data bytes, the RTO is null. When an error occurs, the system thus tries to re-emits its packets in a loop which consumes resources.
When a Linux 2.6.32.x system proposes a TCP service, an attacker can therefore force an error in the computation of the RTO (Retransmission Timeout), which overloads the system.
Identifiers: BID-38355, VIGILANCE-VUL-9465