Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?
Seems like good enough for me and many others 🙂
(it's an iptables compatible one)
Just to note that most Linux hosts shouldn't really accept a SACK packet with MSS lower then 5xx(56x?, don't remember). I have tested couple pieces of code with scapy and it's not simple to kill a host just out of the blue.
There might be a legit connection that will state a < 500 MSS.
Technically a better solution might be to remove the MSS part from the packet or upper it into 600.
But it's better safe then sorry.
The acutall implementation is a part of a negotation and the ACK can contain a disagreement on the MSS section.