Open Source

Linux kernel flaw could trigger DoS incidents

See how this flaw works and what you can do to protect your systems against it.

Several versions of Linux from multiple vendors are reportedly vulnerable to a flaw in the Linux 2.4 kernel. According to the initial report from Secunia, the threat is related to a problem in the way the Linux kernel caches routing information, which can cause hash collisions and crash the system.

Florian Weimer first reported this threat in The Ames Group Linux-Kernel mail list. Weimer's summary of the problem was this: “It is possible to freeze machines with 1 GB of RAM and more with a stream of 400 packets per second with carefully chosen source addresses.”

Weimer's posting includes a suggested rough-and-ready emergency patch for those under a hash collision DoS (denial of service) attack. The patch will slow performance but should keep the system online by drastically reducing the size of the cache.

Although a DoS attack can be successful with only a moderate rate of packet flow, it requires specially configured spoofed addresses. However, Weimer pointed out that “the route cache is a DoS bottleneck in general,” and that random addresses in volumes larger than 400 packets per second can trigger a DoS event as a result of this flaw. The attack is apparently effective only if the system uses iptables to filter traffic.

Weimer recommends a Rice University white paper, "Denial of Service via Algorithmic Complexity Attacks," which describes hash table DoS attacks and explains how even a low-bandwidth attack of a few minutes' duration can massively overload a CPU.

The Secunia report says that this vulnerability exists in a number of Linux implementations:
  • Linux kernel 2.4.x
  • Conectiva Linux 7, 8, and 9
  • Debian GNU/Linux 3.0
  • Mandrake Linux 8 and 9
  • OpenLinux Server and Workstation 3
  • Various Red Hat versions
  • Slackware
  • SuSE

Risk level—critical
This flaw can be exploited remotely and can result in a server crash and/or DoS.

You can fix this problem with a patch, or, according to Secunia, by changing the iptables filter to use “the PREROUTING chain instead of the INPUT chain.”

At the time this article was written, only Red Hat had released an updated kernel to address this problem. See the Red Hat security advisory RHSA-2003:172-23 for more information. The Red Hat kernel patch also addresses unrelated problems.

Final word
At the recent Berkeley IEEE Symposium on Security and Privacy, some Carnegie Mellon University students presented schemes to reduce the impact of DoS events. According to this report, Abraham Yaar proposed using currently unused network traffic header bits to help identify the source of an attack and thereby block it.

XiaoFeng Wang, another graduate student at CMU, suggested using small puzzles sent back to the originating computer to slightly slow each new request. This would have little effect on legitimate requests but would impose a massive overhead on systems attempting a DoS attack, especially if the complexity of the puzzle could be adjusted to meet the threat parameters.

Editor's Picks