Netflix has identified several TCP networking vulnerabilities in most common Linux (and FreeBSD) and kernels. This flaw could allow a remote attacker to crash or severely slow down a system. No proof of concept yet exists, as far as we know, but that is most likely just a matter of time. More detailed information is in the links below, here are just some quick fixes and workarounds.
To test if SACK is enabled, use
Return value 1 indicates the SACK is enabled.
Kernel updates are available for most popular distributions. Installation can be as easy as:
sudo apt-get update kernel
for Debian and Ubuntu, or
sudo yum update kernel
for RedHat and CentOS. A reboot will be necessary to activate the update.
Although selective acknowledgements make ethernet communication more efficient, most systems will work just as fine without.
On systems that use SELinux, start by disabling it temporarily:
sudo setenforce 0
To disable SACK, create a file /etc/sysctl.d/sack_off.conf with the following code:
net.ipv4.tcp_sack = 0 net.ipv4.tcp_dsack = 0 net.ipv4.tcp_fack = 0
and activate the settings using:
sudo sysctl -p /etc/sysctl.d/sack_off.conf
The setting files in /etc/sysctl.d are read at boot time, so the settings are permanent.
With the settings above in a file, the workaround boils down to the following commands:
sudo setenforce 0 sudo curl https://www.diades.nl/sack_off.conf -o /etc/sysctl.d/sack_off.conf sudo sysctl -p /etc/sysctl.d/sack_off.conf