Add low MSS TCP option identifier

ilyaglow · ilyaglow · commit 834d0271ff2e · 2019-06-23T14:41:27.000+03:00
diff --git a/badcapt.go b/badcapt.go
@@ -28,6 +28,7 @@ var defaultMarkers = []Marker{
 	MiraiIdentifier,
 	ZmapIdentifier,
 	MasscanIdentifier,
+	LowMSSIdentifier,
 }
 
 // Badcapt defines badcapt configuration
diff --git a/low_mss.go b/low_mss.go
@@ -0,0 +1,31 @@
+package badcapt
+
+import (
+	"encoding/binary"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+// LowMSSIdentifier adds low-mss tag for a packet which TCP Maximum Segment
+// Size is less than 500. This fact indicates potential SACK Panic attack
+// (CVE-2019-11477).
+// Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#1-cve-2019-11477-sack-panic-linux--2629
+func LowMSSIdentifier(p gopacket.Packet) []string {
+	tcp := unpackTCP(p)
+	if tcp == nil {
+		return nil
+	}
+
+	if tcp.SYN == false {
+		return nil
+	}
+
+	for _, o := range tcp.Options {
+		if o.OptionType == layers.TCPOptionKindMSS && binary.BigEndian.Uint16(o.OptionData) < 500 {
+			return []string{"low-mss"}
+		}
+	}
+
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ var defaultMarkers = []Marker{`
`28`	`28`	`MiraiIdentifier,`
`29`	`29`	`ZmapIdentifier,`
`30`	`30`	`MasscanIdentifier,`
	`31`	`+ LowMSSIdentifier,`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`// Badcapt defines badcapt configuration`