How to Mitigate the SACK Panic DDoS Attack

Glen Kosaka Container Security

By Gary Duan On June 17, 2019, security researchers at Netflix released a series of vulnerabilities they discovered in the Linux and FreeBSD kernel. By sending crafted SACK packets to the vulnerable server, attackers are able to slow down the server’s TCP stack, incur excessive resource usage, and in the worst case scenario, cause a kernel panic. The main vulnerability, …