Vigil@ance: Linux kernel, denial of service via RTO
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When a Linux 2.6.32.x system proposes a TCP service, an attacker
can force an error in the computation of the RTO (Retransmission
Timeout), which overloads the system.
Severity: 2/4
Consequences: denial of service of computer
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Since kernel version 2.6.32, the RTO (Retransmission Timeout)
computation method changed. This timeout is computed from:
– information in the TCP Timestamp option
– the transit duration of first bytes
However, if the system did not receive a TCP Timestamp option nor
data bytes, the RTO is null. When an error occurs, the system thus
tries to re-emits its packets in a loop which consumes resources.
When a Linux 2.6.32.x system proposes a TCP service, an attacker
can therefore force an error in the computation of the RTO
(Retransmission Timeout), which overloads the system.
CHARACTERISTICS
Identifiers: BID-38355, VIGILANCE-VUL-9465
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-RTO-9465