Microsoft is aware of a denial of service vulnerability (named "FragmentSmack" CVE-2018-5391) affecting Windows systems. An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments. A system under attack would become unresponsive with 100% CPU utilization but would recover as soon as the attack terminated.
To protect your system from this vulnerability, Microsoft recommends that you take the following actions:
1. What workaround(s) exist for this vulnerability?
The following commands disable packet reassembly. Any out-of-order packets are dropped. There is a potential for packet loss when discarding out-of-order packets. Valid scenarios should not exceed more than 50 out-of-order fragments.
We recommend testing prior to updating production systems.
Netsh int ipv4 set global reassemblylimit=0
Netsh int ipv6 set global reassemblylimit=0
Further netsh guidance can be found at netsh.
2. Is Azure affected?
Azure fabric layer protections mitigate this vulnerability. This is blocked before traffic reaches Azure VMs.
3. What can I do at the perimeter to block this attack?
Review the perimeter device guidance and modify reassembly packet limits similar to the commands listed in FAQ #1.