Dear Debian kernel maintainers, This might be a long shot but I decided to ask here anyway. If nothing else I hope to bring more awareness.
The current kernel in Debian Jessie (3.16) is prone to a resource-exhaustion attack against its IPv6 routing table. In short, every time a packet from a new IPv6 peer is received an entry is created in the IPv6 routing table. This serves as a cache (although it's in the same table) so that MTU and other parameters are stored on a per-peer basis. This creates the potential for an attacker to quickly fill up the table by sending packets from different source addresses. The effect is that as the table gets full the garbage collector starts running back-to-back using 100% system CPU causing the system to degrade rapidly. The above is my understanding anyway and might be partially incorrect. Facebook has contributed a patch which skips the creation of a new entry if the MTU is the same as the default route (which is almost always the case), thus keeping the table small. Unfortunately that patch has been introduced sometime after 4.1-4.2 kernels and is not present in the default Debian Jessie kernel. It does seem to be fixed in the 4.7 from backports. Due to the severity of this, I was wondering if you could consider backporting that patch for the 3.16 kernel as well? Additional details regarding the patch are available at: https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/ Regards, -- Rumen Telbizov Unix Systems Administrator <http://telbizov.com>
