alsunseri · June 27, 2019 22:14
diff --git a/CVE-2019-1147-troubleshoot-SACKMSS.txt b/CVE-2019-1147-troubleshoot-SACKMSS.txt
 work in progress - these have been tested somewhat and work for my troubleshooting needs for now. 

 Craft TCP SYN packets that contain the low MSS option. 
 Many other options can be added but this will work to test filters/iptables etc:

     hping3 -S --tcp-mss 398 -s 49280 -k -p 80 hostname.server.net

 tcpdump to print to terminal any TCP SYN packets on eth0 that have options set to MSS and set it to 500 or less.
 (0x01F4 or less )
 This _will_ detect the above hping3 packets but it probably only works if the ONLY option set is MSS!
 The 22nd and 23rd bytes of the TCP header should be 0x01F4 or less

     tcpdump -c 2100 -pnnlvvvX -s 0 -i eth0 tcp and "(((tcp[12] & 0xf0) >> 2) > 20) && tcp[22:2] < 501" 

 iptables rule to silently drop IPv4 TCP SYN packets with MSS option set to 500 or less:
     iptables -I INPUT 1 -p tcp -m tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
	work in progress - these have been tested somewhat and work for my troubleshooting needs for now.

	Craft TCP SYN packets that contain the low MSS option.
	Many other options can be added but this will work to test filters/iptables etc:

	hping3 -S --tcp-mss 398 -s 49280 -k -p 80 hostname.server.net

	tcpdump to print to terminal any TCP SYN packets on eth0 that have options set to MSS and set it to 500 or less.
	(0x01F4 or less )
	This _will_ detect the above hping3 packets but it probably only works if the ONLY option set is MSS!
	The 22nd and 23rd bytes of the TCP header should be 0x01F4 or less

	tcpdump -c 2100 -pnnlvvvX -s 0 -i eth0 tcp and "(((tcp[12] & 0xf0) >> 2) > 20) && tcp[22:2] < 501"

	iptables rule to silently drop IPv4 TCP SYN packets with MSS option set to 500 or less:
	iptables -I INPUT 1 -p tcp -m tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP