The TCP SACK panic

Posted Jun 20, 2019 2:09 UTC (Thu) by josh (subscriber, #17465)
Parent article: The TCP SACK panic

I'm really curious how Netflix happened across these vulnerabilities. Did they hit them in practice, did they find them through security testing, did they have some particular reason to be staring at this code...

The TCP SACK panic

Posted Jun 20, 2019 4:26 UTC (Thu) by mtaht (subscriber, #11087) [Link]

Ironically I had been pushing for a couple years now that we start exploring reducing the mss when under extreme congestion and cwnd = 2. ( https://www.bufferbloat.net/projects/ecn-sane/wiki/ )

Oops. Looks like someone else found a use for the idea.

The TCP SACK panic

Posted Jun 20, 2019 8:46 UTC (Thu) by Lennie (subscriber, #49641) [Link]

Notice how the security reports say FreeBSD and Linux:

https://github.com/Netflix/security-bulletins/blob/master...

But FreeBSD did not release any security updates, how is that possible ?

Turns out it is the FreeBSD 12 using the RACK TCP Stack:

http://freebsd.1045724.x6.nabble.com/TCP-RACK-performance...

The RACK TCP Stack was created by Netflix for their FreeBSD based CDN applience:

https://openconnect.netflix.com/en/appliances/

The TCP SACK panic

Posted Jul 7, 2019 17:48 UTC (Sun) by kmeyer (subscriber, #50720) [Link]

Looney works on FreeBSD networking at Netflix and was probably testing his own code against Linux.