Re: Protecting old Linux hosts against TCP Sack Panic with SRX, hoe?
Seems like good enough for me and many others
(it's an iptables compatible one)
Just to note that most Linux hosts shouldn't really accept a SACK packet with MSS lower then 5xx(56x?, don't remember). I have tested couple pieces of code with scapy and it's not simple to kill a host just out of the blue.
There might be a legit connection that will state a < 500 MSS.
Technically a better solution might be to remove the MSS part from the packet or upper it into 600.
But it's better safe then sorry.
The acutall implementation is a part of a negotation and the ACK can contain a disagreement on the MSS section.