You may have heard about the recent vulnerability referred to as SACK, in which a carefully crafted series of packets can be used as a denial of service attack against a remote Linux (or FreeBSD) system. Though there are three variants of this, the end result is roughly the same: An outage for you and your customers, caused by a third party.
While we won’t get too deep into what this vulnerability is, we wanted to offer our customers some information about how to mitigate against this.
To mitigate against this in the most effective way, use iptables with these commands:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
You can use the package “iptables-persistent” to make sure that these rules stay on reboot. You can find more about that here: