The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets. The belief is that the system spends considerable time generating TCP syn cookies and creates a soft lockup in the system, reducing its ability to handle other requests. This is as the syn cookie generation is serialized per system and not per CPU. Other CPU's on the system can continue to work correctly. References: https://cxsecurity.com/issue/WLB-2017020112 https://githubengineering.com/syn-flood-mitigation-with-synsanity/
Statement: This issue affects Red Hat Enterprise Linux 5,6, 7 and MRG-2 kernels. Red Hat has no plans to fix this issue at this time. While performance enhancements have been made upstream, Red Hat Product Security believes the report to be invalid and able to be mitigated with synproxy. This flaw is currently under investigation for validity and Red Hat is asking to revoke the CVE.