Description: This bug appeared during a few experimentations with the TCP/IP stack after which we found out that it was not, at least it is not of our knowledge, found anywhere else before. That was actually a Solaris bug that resembles this one.

After an established connection, a specially crafted packet with the ACK/FIN flags set, a corrected Sequency Number but with an incorrected Acknowledge Number will trigger a massive flush of packages with zero size and only the ACK flag set. Ethereal logs showed that the keep alive state was occuring and this flow kept going for approximately 3 minutes and a few million packets. It was clearly observed that CPU and network performance was severed decreased due to this misbehave.

Potential attacks includes DoS and DDoS. Applications and services that depends on quality of services (QoS) such as H323 applications (VoIP) and video streamming will suffer dramatic performance downgrade.

Interesting looking presentation at Phreaknic this year.