Solaris Hosts are Vulnerable to a Denial of Service Induced by an Internet Transmission Control Protocol (TCP) "ACK Storm"


Category :Security
Release Phase :Resolved
Product :Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System  
Bug Id :4511681  
Date of Resolved Release :26-JUL-2006 


Impact

A remote privileged user may create a TCP (tcp(7p)) "ACK storm" or "ACK flood" which can cause a networked system to run out of resources, creating a Denial of Service (DoS) condition.

A TCP "ACK storm" can occur when a networked system sends a TCP packet which contains an incorrect sequence number to another networked system. The remote system will reply with a TCP ACK packet containing the expected sequence number and the originating system will send another packet with the incorrect sequence number. This exchange of ACK packets will continue indefinitely back and forth and thus create an "ACK storm".

This is the expected behavior of the Internet Transmission Control Protocol (TCP) protocol. The TCP protocol specification is described in RFC 793 at:

The patches listed in Section Two below limit the number of replies a Solaris system will make to a TCP packet with an incorrect sequence number and thus protect against an "ACK storm".


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 116965-17
  • Solaris 9 without patch 118305-07
  • Solaris 10 without patch 118833-12

x86 Platform

  • Solaris 8 without patch 116966-16
  • Solaris 9 without patch 117470-06
  • Solaris 10 without patch 118855-10

Symptoms

The system's performance will slow down if the described issue occurs, however, other systems on the network will not be affected.

The snoop output will be similar to the following:

    -----------------------------------------------------------------------------------------
      5   0.00000 192.168.1.245 -> 192.168.1.58  TCP D=3071 S=8080 Fin Ack=2363033 Seq=1558809380 Len=990 Win=8760
      6   0.00000 192.168.1.245 -> 192.168.1.58  TCP D=3071 S=8080     Ack=2363033 Seq=1558809380 Len=0 Win=8760
      7   0.00000  192.168.1.58 -> 192.168.1.245 TCP D=8080 S=3071     Ack=1558810371 Seq=2363033 Len=0 Win=7770
      8   0.00000 192.168.1.245 -> 192.168.1.58  TCP D=3071 S=8080     Ack=2363033 Seq=1558809380 Len=0 Win=8760
      9   0.00000  192.168.1.58 -> 192.168.1.245 TCP D=8080 S=3071     Ack=1558810371 Seq=2363033 Len=0 Win=7770
     10   0.01000 192.168.1.245 -> 192.168.1.58  TCP D=3071 S=8080     Ack=2363033 Seq=1558809380 Len=0 Win=8760
     11   0.00000  192.168.1.58 -> 192.168.1.245 TCP D=8080 S=3071 Fin Ack=1558810371 Seq=2363033 Len=0 Win=7770
     12   0.00000  192.168.1.58 -> 192.168.1.245 TCP D=8080 S=3071     Ack=1558810371 Seq=2363034 Len=0 Win=7770
     13   0.00000 192.168.1.245 -> 192.168.1.58  TCP D=3071 S=8080     Ack=2363033 Seq=1558809380 Len=0 Win=8760

    -----------------------------------------------------------------------------------------

The systems performance will slow down if the described issue occurs, however, it will not effect other systems in the network.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116965-17 or later
  • Solaris 9 with patch 118305-07 or later
  • Solaris 10 with patch 118833-12 or later

x86 Platform

  • Solaris 8 with patch 116966-16 or later
  • Solaris 9 with patch 117470-06 or later
  • Solaris 10 with patch 118855-10 or later





Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 200483
Article Type : Sun Alert
Last reviewed : 2006-07-27
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1