CVE漏洞预警

RedHat将LinuxkernelTCP漏洞（CVE--）命名为SegmentSmack。研究人员发现对每个进入的包，tcp_collapse_ofo_queue()和tcp_prune_ofo_queue()的调用成本很高，会导致DoS攻击。

攻击者可以使用修改过的数据包来进行代价较大的调用，这会让带宽较小的网络中系统的CPU利用率达到饱和状态，导致DoS攻击。在最坏情况下，2k个包每秒的流量就可以导致系统拒绝服务。攻击会使系统CPU处于满负荷状态，同时网络包处理会有很大的延迟。

$top%Cpu25:0.0us,0.0sy,0.0ni,1.4id,0.0wa,0.0hi,98.5si,0.0st%Cpu26:0.0us,0.0sy,0.0ni,1.4id,0.0wa,0.0hi,98.6si,0.0st%Cpu28:0.0us,0.3sy,0.0ni,0.7id,0.0wa,0.0hi,99.0si,0.0st%Cpu30:0.0us,0.0sy,0.0ni,1.4id,0.0wa,0.0hi,98.6si,0.0stPIDUSERPRNIVIRTRESSHRS%CPU%MEMTIME+COMMANDrootR97.30.01:16.33ksoftirqd/rootR97.30.01:16.68ksoftirqd/rootR97.00.00:39.09ksoftirqd/rootR97.00.01:16.48ksoftirqd/30

因为DoS攻击需要到开放、可达端口的双向TCPsession，所以用伪造的IP地址不能发起此类攻击。

为了解决该漏洞，Linuxkernel开发人员已经发布了补丁。截止目前，除了运行修复的内核外，还没有其他缓解的方法，也没有攻击PoC发布。

补丁