Announcement

Collapse
No announcement yet.

Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    Phoronix: Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    this news is a bit latish, ..! ;-) https://www.youtube.com/watch?v=8akg0mPyflw

    Comment


    • #3
      A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

      As a workaround you can run

      Code:
      sysctl net.ipv4.tcp_sack=0
      Last edited by birdie; 18 June 2019, 08:00 AM.

      Comment


      • #4
        So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?

        Comment


        • #5
          Originally posted by Volta View Post
          So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?
          Default FreeBSD is not even affected.

          Comment


          • #6
            https://github.com/Netflix/security-...it_limit.patch
            Netflix's provided patch for FreeBSD (12)

            Comment


            • #7
              Originally posted by birdie View Post
              A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

              As a workaround you can run

              Code:
              sysctl net.ipv4.tcp_sack=0
              My understanding is this can slow down TCP connections - you are better off using the iptables rule

              Code:
              iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
              Suse's advisory suggests this -> https://www.suse.com/support/kb/doc/?id=7023928

              Comment


              • #8
                Linux Os has to improve in security and efficiency.

                Comment


                • #9
                  Originally posted by yossarianuk View Post


                  Code:
                  iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
                  It is much preferred to use "iptables -I INPUT" instead of "iptables -A INPUT". Depending on rules in your chain, -A could possibly cause much cpu load if the rule is heavily processed.

                  At HN it is suggested to use "-t raw -I PREROUTING", which could be of benefit especially with heavy traffic.

                  Comment


                  • #10
                    Originally posted by Azrael5 View Post
                    Linux Os has to improve in security and efficiency.
                    Like any other OS. However, Linux beats commercial OS'es by a large margin. Windows and OS X are far behind when comes to audit.

                    Comment

                    Working...
                    X