[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1732294] Re: Probable DOS in linuxbridge

Sarah - is it possible for you to test my proposed change?  It's
basically doing what you said - move the rules to the nat table
PREROUTING chain.  Thanks.

You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.

  Probable DOS in linuxbridge

Status in neutron:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:

Bug description:
  We experienced a DOS yesterday on a system (not openstack based) which
  would have been mitigated if a mac address whitelist in ebtables had
  occurred in the nat PREROUTING chain rather than the filter FORWARD

  At least with kernel version 4.9, with rapidly cycling mac addresses
  the linux bridge appears to get bogged down in learning new MAC
  addresses if this is not explicitly turned off with brctl setageing
  <bridge> 0.

  We deployed a workaround to our own infrastructure but I believe
  means that openstack has the same vulnerability.

  It should be possible to move all logic related to checking the input
  to the ebtables nat PREROUTING chain using the ebtables_nat module.

  To duplicate, in a VM on a host with bridged networking and mac
  spoofing protection in place, install dsniff and run:

  macof -i <ethernet device> -s <valid local IP> -d <valid remote IP> -n
  50000000 &> /dev/null

  Observe on the host that ksoftirqd usage goes to near 100% on one
  core, that 'perf top' will show br_fdb_update as taking significant
  resources, and that 'brctl showmacs <bridge>' will probably hang.

To manage notifications about this bug go to: