SACK panic
Netflix has identified several TCP networking vulnerabilities in most common Linux (and FreeBSD) and kernels. This flaw could allow a remote attacker to crash or severely slow down a system. No proof of concept yet exists, as far as we know, but that is most likely just a matter of time. More detailed information is in the links below, here are just some quick fixes and workarounds.
The vulnerabilities are knows by the following codes:
CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
CVE-2019-5599
To test if SACK is enabled, use
cat /proc/sys/net/ipv4/tcp_sack
Return value 1 indicates the SACK is enabled.
Solution
Kernel updates are available for most popular distributions. Installation can be as easy as:
sudo apt-get update kernel
for Debian and Ubuntu, or
sudo yum update kernel
for RedHat and CentOS. A reboot will be necessary to activate the update.
Workaround
Although selective acknowledgements make ethernet communication more efficient, most systems will work just as fine without.
On systems that use SELinux, start by disabling it temporarily:
sudo setenforce 0
To disable SACK, create a file /etc/sysctl.d/sack_off.conf with the following code:
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0
and activate the settings using:
sudo sysctl -p /etc/sysctl.d/sack_off.conf
The setting files in /etc/sysctl.d are read at boot time, so the settings are permanent.
Easier
With the settings above in a file, the workaround boils down to the following commands:
sudo setenforce 0
sudo curl https://www.diades.nl/sack_off.conf -o /etc/sysctl.d/sack_off.conf
sudo sysctl -p /etc/sysctl.d/sack_off.conf