The Official Word from BSDI

From scotts@surfnetwork.com Mon Oct 14 21:23:40 1996
Date: Mon, 14 Oct 1996 14:00:02 -0500
From: "Scott C. Sanchez" <scotts@surfnetwork.com>
To: inet-access@earth.com
Subject: New OFFICIAL patches for BSD/OS 2.1, including SYN attack patch

Here is the word from BSDI themselves....

Date: Thu, 3 Oct 1996 17:42:46 -0600 (MDT)
To: customers@bsdi.com
Subject: New OFFICIAL patches for BSD/OS 2.1, including SYN attack patch
From: polk@bsdi.com


There are several new patches available from the patches
server or via the ftp archive at;
        ftp://ftp.bsdi.com/bsdi/patches/patches-2.1

All of the README file entries are appended at the bottom
of this message.  The patches are U210-024, U210-025, U210-026,
K210-021, K210-022, and K210-023.  The kernel patches depend
on the K210-019 performance patch which is now available to all
BSDI 2.1 customers via anonymous ftp (it had previously only
been available for customers with valid support contracts).
As usual, the md5 signatures are in the README entries
and the pgp signatures are in the signatures subdirectory of
the patches directory.

The first of the utilities patch (U210-024) has been available
from the servers since Sept. 18, but has not been announced until
now -- it updates sendmail to version 8.7.6 thus closing the
holes referenced in CERT advisory CA-96.20.

The third utilities patch (U210-026) replaces the shared libc
library and closes a hole in the resolver library routines which
has seen discussion recently in various security related forums.

The third kernel patch (K210-023) updates the de(4)
DEC PCI ethernet ethernet driver to include support for the
DE500-AA version and fixes several bugs.

The remainder of the patches (K210-021, K210-022, and U210-025)
add support for IP source checking, and for reducing and/or
eliminating problems associated with SYN attacks, IP fragment
attacks, and some other denial of service/looped server attacks.

IP source address verification is a valuable tool for protecting
against some forms of IP-spoofing as described in CERT advisory CA
96.21, "TCP SYN Flooding and IP Spoofing Attacks".  The full text
of this advisory is available as:
    ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

If you are a service provider, using IP source verification will
protect your customers against attacks from the Internet which
appear to be coming from your customers' networks, and it will
ensure that packets sent from your customers' networks have a source
address on your customers' networks (preventing them from spoofing
source addresses and/or attacking others).

Jeff
--
     /\   Jeff Polk            Berkeley Software Design, Inc. (BSDI)
  /\/  \  polk@BSDI.COM        5575 Tech Center Dr. #110, Colo Spgs, CO 80919

[additional note from Jeff:  There is also an official press release
about the patch (and the fact that we're giving the code away for other
BSD based OS's) on our web server at www.BSDI.COM.]

===================================================================

PATCH:
    K210-019

SUMMARY:
        This patch adds several TCP performance enhancements.
            o PCB hashing
                 o Optimized delayed ACK processing
            o Optimized TIME-WAIT state processing
            o Initial congestion window fixes
            o Eliminate sending small packets when more data is
              waiting to be copied from the application, but
              don't delay them unnecessarily when there isn't.

        This patch also includes a new kernel config option,
        INET_SERVER.  Turning on this option will cause the
        PCB hashing code to use a much larger hash table.
        Typically this would be useful on busy WEB servers.

md5 checksum: 9527c357be5a70f718236073a66fad94 K210-019

===================================================================

PATCH:
    K210-021

SUMMARY:
        This patch adds two networking features that can help defeat
        and detect some types of denial of service attacks.


        The first feature is a limit on the number of fragmented IP
        packets in the IP reassembly queue.  The default limit is 200
        and can be changed with the sysctl(8) variable
        "net.inet.ip.maxfragpackets".  To change the limit of the
        number of packets on the IP reassembly queue add a command
        like the following to the end of /etc/netstart.  This example
        would reduce the limit on outstanding fragments to 100:

                sysctl -w net.inet.ip.maxfragpackets=100


        The second feature is an optional test to insure that packets
        are received on the expected interface.  This feature looks up
        the route back to the source of received IP packets.  If there
        is no route to the source available, or the packet did not
        arrive on the expected interface the packet is discarded.  The
        expected interface is the one that would be used to send a
        packet back to the reported source of the packet.

        IP source address verification should not be used when
        concurrent alternate paths exist from the BSD/OS system where
        this feature is enabled, as this may cause valid packets to be
        discarded.  For example, a small ISP that has one connection to a
        backbone network and one connection to each of it's clients
        could enable this feature.  If the same ISP has two
        connections to a backbone network, or one connection to each
        of two backbone networks they should not enable this feature.

        IP source address verification is a valuable tool for
        protecting against some forms of IP-spoofing as described in
        CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing
        Attacks".  The full text of this advisory is available as
        ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding.
        If you are a service provider, using IP source verification
        will protect your customers against attacks from the Internet
        which appear to be coming from your customers' networks, and
        it will ensure that packets sent from your customers' networks
        have a source address on your customers' networks (preventing
        them from spoofing source addresses and/or attacking others).

        This feature is enabled via the "net.inet.ip.sourcecheck"
        sysctl(8) variable or by adding the "IPSOURCECHECK" option
        when building a kernel.  For example, to enable IP source
        address verification, add the following command to the end of
        /etc/netstart:

                sysctl -w net.inet.ip.sourcecheck=1

        The IP source address verification code will log a message
        when discarding a packet.  To prevent a large number of
        these packets from using an excessive amount of disk space
        log messages are limited to one per IP address per time
        interval.  The time interval defaults to five seconds and
        may be configured with the "net.inet.ip.sourcecheck_logint"
        sysctl(8) variable.  A value of zero disables the time
        interval.


        This patch requires U210-025 which provides new copies of
        sysctl(8) and netstat(1) for configuration and monitoring of
        these new features.

md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021

===================================================================

PATCH:
    K210-022

SUMMARY:
        This patch adds a TCP SYN cache.  When a large number of
        SYN packets arrive for the same TCP port, the old code would
        drop the excess SYN packets, assuming that they will be
        retransmitted and that the current 1/2 open connections
        will soon be completed and removed from the queue.

        However, due to one-way and/or long paths, or malicious
        intent, the queue can become clogged with 1/2 open connections
        that will never complete, preventing any valid connections
        from being established.

        With the SYN cache, when the accept queue overflows a
        minimal amount of state is stored in the SYN cache, and
        a SYN,ACK response is sent.  If a valid ACK comes back,
        a complete connection is created.  If there is no route
        or a TCP RST or ICMP Unreachable comes back, the entry
        is deleted.  Otherwise, the entries will just time out.

        There are several new sysctl entries.  Note that they
        should not be changed unless there is evidence that the
        default values are not adequate.
          o net.inet.tcp.syn_cache_limit
                This specifies the maximum number of entries
                that may be held into the SYN cache.
          o net.inet.tcp.syn_bucket_limit
                This specifies the maximum number of entries
                that may be held in any individual hash bucket
                of the SYN cache.
          o net.inet.tcp.syn_cache_interval
                This specifies in 0.5 second increments, how
                often the timeout routine for the SYN cache
                should be run.

        The default maximum cache size is 10255, with a hash
        table size of 293 and a maximum per bucket limit of
        105 (10255 = 293*35, 105 = 3*35).  If INET_SERVER
        is defined, the default maximum cache size is 34895,
        a hash table size of 997, and a per bucket limit of
        105 (34895 = 997*35, 105 = 3*35).

md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022

===================================================================

PATCH:
    K210-023

SUMMARY:
        Synchronize de driver with latest stable version from Matt
        Thomas.  Includes support for the DE500-AA and fixes several
        bugs, one of which caused systems to hang or corrupt packets
        under heavy network load. This version of the driver does
        NOT add support for the Znyx 346 multiport card or the
        SMC9332BDT (the follow on to the EtherPower 10/100); the
        SMC9332BDT is recognized as an SMC 8432BA and does not
        operate.

        Note: This driver supports sharing interrupts on the PCI bus
        but an problem in 2.1 (unrelated to the de driver) causes
        a warning message to be generated at boot time when interrupts
        are shared. This message is benign as long as the drivers
        sharing the interrupt are written to share interrupts.

md5 checksum: f9322e8e2cfba4a6862e59896f2ce3a3 K210-023

===================================================================

PATCH:
    U210-024

SUMMARY:
    This patch updates sendmail to the official 8.7.6 release which
    fixes some security problems from previous versions including
    those in the CA-96.20 CERT advisory and a recent Bugtraq posting.

md5 checksum: baa7f3139d40c95f42f4f30725339314 U210-024

===================================================================

PATCH:
    U210-025

SUMMARY:
        This patch should be installed in conjunction with IP source
        address check and IP fragmentation queue limit patch
        (K210-021) and SYN flooding patch (K210-022).

        The /usr/sbin/netstat and /usr/sbin/sysctl binaries have been
        updated to monitor and configure the kernel security patches
        mentioned above.  Both of these binaries can be run in
        conjunction with a kernel that does not have the above two
        patches installed.  The only side-effect will be that the new
        /usr/sbin/netstat will display garbage for the new counters.

        The /usr/sbin/inetd binary has been updated to add the -u
        option which provides limited UDP source port checking.
        By default the new version of inetd will ignore requests
        to internal services which appear to come from internal
        services (to eliminate the loops which have been the source
        of some attacks).  See the manual page inetd(8) for
        more information.

md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025

===================================================================

PATCH:
    U210-026

SUMMARY:
    This patch fixes a potential security problem in the DNS
    lookup code where the library routine was too trusting of data
    returned from the remote server.

md5 checksum: d87b9efdf24f73ddef868388ecdf25f0 U210-026

===================================================================

Scott C. Sanchez -> scotts@surfnetwork.com
--------------------------------------------------------------
New Media Production - A Division of Surf Network, Inc.
--------------------------------------------------------------
Willow Grove, PA -> 800.SURF.212 -> http://www.surfnetwork.com
--------------------------------------------------------------
"I haven't lost my mind; it's backed up on tape somewhere."


<webmaster@mtiweb.com>
Last modified