Probable DOS in linuxbridge
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
New
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Brian Haley |
Bug Description
We experienced a DOS yesterday on a system (not openstack based) which would have been mitigated if a mac address whitelist in ebtables had occurred in the nat PREROUTING chain rather than the filter FORWARD chain.
At least with kernel version 4.9, with rapidly cycling mac addresses the linux bridge appears to get bogged down in learning new MAC addresses if this is not explicitly turned off with brctl setageing <bridge> 0.
We deployed a workaround to our own infrastructure but I believe https:/
It should be possible to move all logic related to checking the input to the ebtables nat PREROUTING chain using the ebtables_nat module.
To duplicate, in a VM on a host with bridged networking and mac spoofing protection in place, install dsniff and run:
macof -i <ethernet device> -s <valid local IP> -d <valid remote IP> -n 50000000 &> /dev/null
Observe on the host that ksoftirqd usage goes to near 100% on one core, that 'perf top' will show br_fdb_update as taking significant resources, and that 'brctl showmacs <bridge>' will probably hang.
description: | updated |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Critical |
Changed in neutron: | |
milestone: | none → queens-rc1 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.