
Linux and FreeBSD: Multiple TCP-based remote denial of service vulnerabilities - punnerud
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
======
WalterSobchak
Discussion from yesterday:
[https://news.ycombinator.com/item?id=20205566](https://news.ycombinator.com/item?id=20205566)

------
michaelngagnon
In 2010, I recommended ballistic-missile-defense systems run their servers
under both Linux and FreeBSD to mitigate the risk of kernel-level remote DoS
0-days [1]. Now it looks like N-version programming has failed yet again [2].

[1]
[http://michaelgagnon.me/file/isarcs.pdf](http://michaelgagnon.me/file/isarcs.pdf)

[2]
[https://en.wikipedia.org/wiki/N-version_programming](https://en.wikipedia.org/wiki/N-version_programming)

~~~
sjackso
I read the situation as being worse for Linux (3 CVEs, including one remotely-
inducable kernel panic, spanning many versions) than for FreeBSD (1 CVE that
can be exploited to slow down a target system in the latest major version).

But even granting that both affected OS flavors have serious DoS issues, a
service that used a mix of OS flavors in its servers would be more resistant
(not impervious) to attacks based on these TCP problems than a service using
only one flavor. So do you really count this as a failure of N-version
programming? (Honest question! This is not my area of expertise.)

------
d33
Nice! Didn't know it was Netflix who caught this. I wonder how they did this -
fuzzing perhaps? Curious how difficult it would be to employ a genetic fuzzer
like afl-fuzz to look for such bugs.

~~~
vardump
> I wonder how they did this - fuzzing perhaps?

That, reviewing/auditing kernel code or they got hit with it.

------
wills_forward
Every time I see one of these systemic vulnerabilities get found I wonder how
many others someone (or some entity) are just sitting on until they REALLY
need to use it.

Someone tell me it’s all going to be okay and this digital world isn’t going
to just crumble someday. Please. Anyone.

~~~
staticassertion
There are entities out there sitting on hundreds of 0days. Governments buy
hundreds every year.

Things aren't really getting much better either, so yeah, could totally
crumble.`

