From firstname.lastname@example.org Mon Oct 14 21:23:40 1996 Date: Mon, 14 Oct 1996 14:00:02 -0500 From: "Scott C. Sanchez" <email@example.com> To: firstname.lastname@example.org Subject: New OFFICIAL patches for BSD/OS 2.1, including SYN attack patch Here is the word from BSDI themselves.... Date: Thu, 3 Oct 1996 17:42:46 -0600 (MDT) To: email@example.com Subject: New OFFICIAL patches for BSD/OS 2.1, including SYN attack patch From: firstname.lastname@example.org There are several new patches available from the patches server or via the ftp archive at; ftp://ftp.bsdi.com/bsdi/patches/patches-2.1 All of the README file entries are appended at the bottom of this message. The patches are U210-024, U210-025, U210-026, K210-021, K210-022, and K210-023. The kernel patches depend on the K210-019 performance patch which is now available to all BSDI 2.1 customers via anonymous ftp (it had previously only been available for customers with valid support contracts). As usual, the md5 signatures are in the README entries and the pgp signatures are in the signatures subdirectory of the patches directory. The first of the utilities patch (U210-024) has been available from the servers since Sept. 18, but has not been announced until now -- it updates sendmail to version 8.7.6 thus closing the holes referenced in CERT advisory CA-96.20. The third utilities patch (U210-026) replaces the shared libc library and closes a hole in the resolver library routines which has seen discussion recently in various security related forums. The third kernel patch (K210-023) updates the de(4) DEC PCI ethernet ethernet driver to include support for the DE500-AA version and fixes several bugs. The remainder of the patches (K210-021, K210-022, and U210-025) add support for IP source checking, and for reducing and/or eliminating problems associated with SYN attacks, IP fragment attacks, and some other denial of service/looped server attacks. IP source address verification is a valuable tool for protecting against some forms of IP-spoofing as described in CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing Attacks". The full text of this advisory is available as: ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding If you are a service provider, using IP source verification will protect your customers against attacks from the Internet which appear to be coming from your customers' networks, and it will ensure that packets sent from your customers' networks have a source address on your customers' networks (preventing them from spoofing source addresses and/or attacking others). Jeff -- /\ Jeff Polk Berkeley Software Design, Inc. (BSDI) /\/ \ polk@BSDI.COM 5575 Tech Center Dr. #110, Colo Spgs, CO 80919 [additional note from Jeff: There is also an official press release about the patch (and the fact that we're giving the code away for other BSD based OS's) on our web server at www.BSDI.COM.] =================================================================== PATCH: K210-019 SUMMARY: This patch adds several TCP performance enhancements. o PCB hashing o Optimized delayed ACK processing o Optimized TIME-WAIT state processing o Initial congestion window fixes o Eliminate sending small packets when more data is waiting to be copied from the application, but don't delay them unnecessarily when there isn't. This patch also includes a new kernel config option, INET_SERVER. Turning on this option will cause the PCB hashing code to use a much larger hash table. Typically this would be useful on busy WEB servers. md5 checksum: 9527c357be5a70f718236073a66fad94 K210-019 =================================================================== PATCH: K210-021 SUMMARY: This patch adds two networking features that can help defeat and detect some types of denial of service attacks. The first feature is a limit on the number of fragmented IP packets in the IP reassembly queue. The default limit is 200 and can be changed with the sysctl(8) variable "net.inet.ip.maxfragpackets". To change the limit of the number of packets on the IP reassembly queue add a command like the following to the end of /etc/netstart. This example would reduce the limit on outstanding fragments to 100: sysctl -w net.inet.ip.maxfragpackets=100 The second feature is an optional test to insure that packets are received on the expected interface. This feature looks up the route back to the source of received IP packets. If there is no route to the source available, or the packet did not arrive on the expected interface the packet is discarded. The expected interface is the one that would be used to send a packet back to the reported source of the packet. IP source address verification should not be used when concurrent alternate paths exist from the BSD/OS system where this feature is enabled, as this may cause valid packets to be discarded. For example, a small ISP that has one connection to a backbone network and one connection to each of it's clients could enable this feature. If the same ISP has two connections to a backbone network, or one connection to each of two backbone networks they should not enable this feature. IP source address verification is a valuable tool for protecting against some forms of IP-spoofing as described in CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing Attacks". The full text of this advisory is available as ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding. If you are a service provider, using IP source verification will protect your customers against attacks from the Internet which appear to be coming from your customers' networks, and it will ensure that packets sent from your customers' networks have a source address on your customers' networks (preventing them from spoofing source addresses and/or attacking others). This feature is enabled via the "net.inet.ip.sourcecheck" sysctl(8) variable or by adding the "IPSOURCECHECK" option when building a kernel. For example, to enable IP source address verification, add the following command to the end of /etc/netstart: sysctl -w net.inet.ip.sourcecheck=1 The IP source address verification code will log a message when discarding a packet. To prevent a large number of these packets from using an excessive amount of disk space log messages are limited to one per IP address per time interval. The time interval defaults to five seconds and may be configured with the "net.inet.ip.sourcecheck_logint" sysctl(8) variable. A value of zero disables the time interval. This patch requires U210-025 which provides new copies of sysctl(8) and netstat(1) for configuration and monitoring of these new features. md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021 =================================================================== PATCH: K210-022 SUMMARY: This patch adds a TCP SYN cache. When a large number of SYN packets arrive for the same TCP port, the old code would drop the excess SYN packets, assuming that they will be retransmitted and that the current 1/2 open connections will soon be completed and removed from the queue. However, due to one-way and/or long paths, or malicious intent, the queue can become clogged with 1/2 open connections that will never complete, preventing any valid connections from being established. With the SYN cache, when the accept queue overflows a minimal amount of state is stored in the SYN cache, and a SYN,ACK response is sent. If a valid ACK comes back, a complete connection is created. If there is no route or a TCP RST or ICMP Unreachable comes back, the entry is deleted. Otherwise, the entries will just time out. There are several new sysctl entries. Note that they should not be changed unless there is evidence that the default values are not adequate. o net.inet.tcp.syn_cache_limit This specifies the maximum number of entries that may be held into the SYN cache. o net.inet.tcp.syn_bucket_limit This specifies the maximum number of entries that may be held in any individual hash bucket of the SYN cache. o net.inet.tcp.syn_cache_interval This specifies in 0.5 second increments, how often the timeout routine for the SYN cache should be run. The default maximum cache size is 10255, with a hash table size of 293 and a maximum per bucket limit of 105 (10255 = 293*35, 105 = 3*35). If INET_SERVER is defined, the default maximum cache size is 34895, a hash table size of 997, and a per bucket limit of 105 (34895 = 997*35, 105 = 3*35). md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022 =================================================================== PATCH: K210-023 SUMMARY: Synchronize de driver with latest stable version from Matt Thomas. Includes support for the DE500-AA and fixes several bugs, one of which caused systems to hang or corrupt packets under heavy network load. This version of the driver does NOT add support for the Znyx 346 multiport card or the SMC9332BDT (the follow on to the EtherPower 10/100); the SMC9332BDT is recognized as an SMC 8432BA and does not operate. Note: This driver supports sharing interrupts on the PCI bus but an problem in 2.1 (unrelated to the de driver) causes a warning message to be generated at boot time when interrupts are shared. This message is benign as long as the drivers sharing the interrupt are written to share interrupts. md5 checksum: f9322e8e2cfba4a6862e59896f2ce3a3 K210-023 =================================================================== PATCH: U210-024 SUMMARY: This patch updates sendmail to the official 8.7.6 release which fixes some security problems from previous versions including those in the CA-96.20 CERT advisory and a recent Bugtraq posting. md5 checksum: baa7f3139d40c95f42f4f30725339314 U210-024 =================================================================== PATCH: U210-025 SUMMARY: This patch should be installed in conjunction with IP source address check and IP fragmentation queue limit patch (K210-021) and SYN flooding patch (K210-022). The /usr/sbin/netstat and /usr/sbin/sysctl binaries have been updated to monitor and configure the kernel security patches mentioned above. Both of these binaries can be run in conjunction with a kernel that does not have the above two patches installed. The only side-effect will be that the new /usr/sbin/netstat will display garbage for the new counters. The /usr/sbin/inetd binary has been updated to add the -u option which provides limited UDP source port checking. By default the new version of inetd will ignore requests to internal services which appear to come from internal services (to eliminate the loops which have been the source of some attacks). See the manual page inetd(8) for more information. md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025 =================================================================== PATCH: U210-026 SUMMARY: This patch fixes a potential security problem in the DNS lookup code where the library routine was too trusting of data returned from the remote server. md5 checksum: d87b9efdf24f73ddef868388ecdf25f0 U210-026 =================================================================== Scott C. Sanchez -> email@example.com -------------------------------------------------------------- New Media Production - A Division of Surf Network, Inc. -------------------------------------------------------------- Willow Grove, PA -> 800.SURF.212 -> http://www.surfnetwork.com -------------------------------------------------------------- "I haven't lost my mind; it's backed up on tape somewhere."