One of the data structures that holds TCP segments in all versions of FreeBSD prior to 11.2-RELEASE-p1, 11.1-RELEASE-p12, and 10.4-RELEASE-p10 uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. An attacker who has the ability to send TCP traffic to a victim system can degrade the victim systems network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 10.4 (including) | 10.4 (including) |
| Freebsd | Freebsd | 10.4-p1 (including) | 10.4-p1 (including) |
| Freebsd | Freebsd | 10.4-p3 (including) | 10.4-p3 (including) |
| Freebsd | Freebsd | 10.4-p4 (including) | 10.4-p4 (including) |
| Freebsd | Freebsd | 10.4-p5 (including) | 10.4-p5 (including) |
| Freebsd | Freebsd | 10.4-p6 (including) | 10.4-p6 (including) |
| Freebsd | Freebsd | 10.4-p7 (including) | 10.4-p7 (including) |
| Freebsd | Freebsd | 10.4-p8 (including) | 10.4-p8 (including) |
| Freebsd | Freebsd | 10.4-p9 (including) | 10.4-p9 (including) |
| Freebsd | Freebsd | 11.1 (including) | 11.1 (including) |
| Freebsd | Freebsd | 11.1-p1 (including) | 11.1-p1 (including) |
| Freebsd | Freebsd | 11.1-p11 (including) | 11.1-p11 (including) |
| Freebsd | Freebsd | 11.1-p2 (including) | 11.1-p2 (including) |
| Freebsd | Freebsd | 11.1-p4 (including) | 11.1-p4 (including) |
| Freebsd | Freebsd | 11.1-p5 (including) | 11.1-p5 (including) |
| Freebsd | Freebsd | 11.1-p6 (including) | 11.1-p6 (including) |
| Freebsd | Freebsd | 11.1-p7 (including) | 11.1-p7 (including) |
| Freebsd | Freebsd | 11.1-p9 (including) | 11.1-p9 (including) |
| Freebsd | Freebsd | 11.2 (including) | 11.2 (including) |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.