SACK Vulnerability

You may have heard about the recent vulnerability referred to as SACK, in which a carefully crafted series of packets can be used as a denial of service attack against a remote Linux (or FreeBSD) system. Though there are three variants of this, the end result is roughly the same: An outage for you and your customers, caused by a third party.

While we won’t get too deep into what this vulnerability is, we wanted to offer our customers some information about how to mitigate against this.


To mitigate against this in the most effective way, use iptables with these commands:

iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP


ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

You can use the package “iptables-persistent” to make sure that these rules stay on reboot. You can find more about that here:


  • 0 Users Found This Useful
Was this answer helpful?