Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Linux and FreeBSD: Multiple TCP-based remote denial of service vulnerabilities (github.com)
83 points by punnerud 28 days ago | hide | past | web | favorite | 8 comments




In 2010, I recommended ballistic-missile-defense systems run their servers under both Linux and FreeBSD to mitigate the risk of kernel-level remote DoS 0-days [1]. Now it looks like N-version programming has failed yet again [2].

[1] http://michaelgagnon.me/file/isarcs.pdf

[2] https://en.wikipedia.org/wiki/N-version_programming


I read the situation as being worse for Linux (3 CVEs, including one remotely-inducable kernel panic, spanning many versions) than for FreeBSD (1 CVE that can be exploited to slow down a target system in the latest major version).

But even granting that both affected OS flavors have serious DoS issues, a service that used a mix of OS flavors in its servers would be more resistant (not impervious) to attacks based on these TCP problems than a service using only one flavor. So do you really count this as a failure of N-version programming? (Honest question! This is not my area of expertise.)


Nice! Didn't know it was Netflix who caught this. I wonder how they did this - fuzzing perhaps? Curious how difficult it would be to employ a genetic fuzzer like afl-fuzz to look for such bugs.


> I wonder how they did this - fuzzing perhaps?

That, reviewing/auditing kernel code or they got hit with it.


Every time I see one of these systemic vulnerabilities get found I wonder how many others someone (or some entity) are just sitting on until they REALLY need to use it.

Someone tell me it’s all going to be okay and this digital world isn’t going to just crumble someday. Please. Anyone.


There are entities out there sitting on hundreds of 0days. Governments buy hundreds every year.

Things aren't really getting much better either, so yeah, could totally crumble.`


Reminds me of a (now defunct) computer un-conference I went to about 8 or 9 years ago. I left fulfilled and defeated by how vulnerable everything seemed.

Whenever I went to a “professional” conference in my field from then-on, I just felt disappointed in how little I got to learn.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: