An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
https://www.openwall.com/lists/oss-security/2019/06/17/5 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Workaround: $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Ensure it is disabled using the following command: $ sysctl net.ipv4.tcp_mtu_probing net.ipv4.tcp_mtu_probing = 0
Vulmon