From what i've gathered, it affects constant TCP sessions mostly,such as BGP, and astaro doesnt have any dynamic routing protocols on it (BGP or RIP etc), so it should be fairly safe.
Although all tcp connections are affected, the probability of successful attatck is very small, and all that happens is that the connection gets reset.
Also, the attacker will have to know the start and endpoints of your traffic to be able to spoof them.
I know spoofing is childs play, but an attacker will have to spoof a specific IP address which makes it slightly more difficult [:)]
The worst that can happen is that a tcp session will be reset, and an attacker has to do an aweful lot of legwork to get that to happen, for allmost no gain.
If you are remotely situated on the Internet from the firewall, getting a reply packet delivered with a target of your victim and a source of a site you know the victim usually visits will be a challenge. Some ISPs and IAPs (Internet Access Points-sort of like the on-ramps to the Internet backbone) often will not permit an inconsistent source address (that's really just a spoof of your victim) to be relayed because their routers use source ACLs.
But if you can take control of a device just outside your network interface or maybe a hop or two away (ISPs often do not have picky source ACLs on their internal customer networks, but in times ahead they will!), you could have that machine perpetrate such a DOS attack.
So if this DOS attack technology is packed in a mail or web propagating virus or worm and focuses on LAN peers, it's eminently doable. The virus could sniff for sites being accessed (or even guess some popular ones?) on the LAN interface and start jamming them.
It could be a HUGE annoyance. Imagine trying to download your Astaro ISO and getting cut off continually. Or how about sites that deliver security patches or host many people's mail.
Fortunately, there is a fix: requesting confirmation of the session teardown can reduce the odds greatly that the attacker will stumble upon the session. I have great confidence that those working on the network stack of Linux will be trotting this out. My condolences to those using obscure or legacy TCP internetworking code on their operating systems or network devices.
P.S. This will be a huge headache for ISPs, because many were running their routing protocols unprotected; now they have to upgrade them stat. The upgrades will be causing a lot of spot service interruptions. They are saying that many Internet backbone routers have already been patched, but I question whether many ISPs have updated their internal routers yet.
P.P.S. It is possible for an IDS to detect such an attack, by identifying a 'spread' of resets in quick succession involving the same address. But if someone is sniffing for the Initial Sequence Number (ISN) and making a more targeted attack on a session using a single Reset, it will not be possible to differentiate between a real and a fake reset, other than by detecting spoofed packets using software that works with managed switches. Chances are non-sniffing 'spread' attacks will be the fad, since they will work across switches.
Now we wait for the arrival of the virus. Could be months, could be days. Could be never if other easier or more 'fun' exploits are disclosed. It won't mean system compromise (at least not directly, when one takes into account possible attacks involving servers that deliver security patches); but it might be another buzzing gnat to swat if your boxes aren't patched.
