Add low MSS TCP option identifier

ilyaglow · Jun 23, 2019 · 834d027 · 834d027
1 parent 453e672
commit 834d027
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/badcapt.go b/badcapt.go
@@ -28,6 +28,7 @@ var defaultMarkers = []Marker{
 	MiraiIdentifier,
 	ZmapIdentifier,
 	MasscanIdentifier,
+	LowMSSIdentifier,
 }
 
 // Badcapt defines badcapt configuration

diff --git a/low_mss.go b/low_mss.go
@@ -0,0 +1,31 @@
+package badcapt
+
+import (
+	"encoding/binary"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+// LowMSSIdentifier adds low-mss tag for a packet which TCP Maximum Segment
+// Size is less than 500. This fact indicates potential SACK Panic attack
+// (CVE-2019-11477).
+// Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#1-cve-2019-11477-sack-panic-linux--2629
+func LowMSSIdentifier(p gopacket.Packet) []string {
+	tcp := unpackTCP(p)
+	if tcp == nil {
+		return nil
+	}
+
+	if tcp.SYN == false {
+		return nil
+	}
+
+	for _, o := range tcp.Options {
+		if o.OptionType == layers.TCPOptionKindMSS && binary.BigEndian.Uint16(o.OptionData) < 500 {
+			return []string{"low-mss"}
+		}
+	}
+
+	return nil
+}