SACK Vulnerability

You may have heard about the recent vulnerability referred to as SACK, in which a carefully crafted series of packets can be used as a denial of service attack against a remote Linux (or FreeBSD) system. Though there are three variants of this, the end result is roughly the same: An outage for you and your customers, caused by a third party.

While we won’t get too deep into what this vulnerability is, we wanted to offer our customers some information about how to mitigate against this.

Mitigation:

To mitigate against this in the most effective way, use iptables with these commands:

iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

 

ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP


You can use the package “iptables-persistent” to make sure that these rules stay on reboot. You can find more about that here:
https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently

 

  • 0 Users Found This Useful
Was this answer helpful?