I have a Linux Servers network that sits beihnd a SRX device.
Some of them cannot be upgraded and are vulnerable to TCP Sack Panic CVE.
I cannot upgrade these Servers at the time and on more then one node there is no iptables compiled in the kernel.
The Ubuntu, RedHat and others give couple recommendations.(https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic)
The most sano of them for my systems is the one which ipables drops every packet with mss between 0 to 500.
iptables -I FORWARD 1 -p tcp -m tcpmss --mss 1:500 -j DROP
I was wondering if is there any possible way to do the same on SRX to proctect my vulnurable hosts?
Thanks,
Eliezer