Solaris, DEC Unix, BSDI, and Linux SYN attack prevention hacks

From klmac@vcomm.net Fri Sep 20 10:19:02 1996
From: Ken McKittrick <klmac@vcomm.net>
To: inet-access@earth.com
Subject: Re: SYN resistant kernels patches expanded

------
Solaris
------

The solaris kernel is configurable at run time using the "ndd" utility.
The settings that you have to worry about are:

tcp_conn_req_max - This is the number of half open connections that are
        allowed on a port.  This is 32 seconds by default.  You should
        change this to 1024.

tcp_ip_abort_cinterval - This is the amount of time that a connection is
tcp_ip_abort_cinterval - This is the amount of time that a connection is
        allowed to stay in a half open state.  This is 180,000
        (3 minutes) by default.  You can change this to 25,000
        if you want (25 seconds).  Please note that by changing this
        you may find that SLIP/PPP users may have problems conacting
        your site.

To view your current setting with the following commands:

/usr/sbin/ndd /dev/tcp tcp_ip_abort_cinterval
/usr/sbin/ndd /dev/tcp tcp_conn_req_max

You can set these variables with the following commands:

/usr/sbin/ndd -set /dev/tcp tcp_ip_abort_cinterval 25000
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 1024
[NOTE: more on Solaris here]

------
Digital Unix
------

Changing the settings for Digital Unix can be done in the following
header files:

/usr/sys/include/sys/socket.h:

#define SOMAXCONN       8

This is the number of pending connections.  You may want to change this
to 1024.

/usr/sys/include/netinet/tcp_timer.h

#define TCPTV_KEEP_INIT ( 75*PR_SLOWHZ)


This is the timeout of the half open connections in seconds.  You may
want to change this.

------
BSDI 2.1
------

BSDI allows you to change these settings at run time and in the header
files.

To view your current settings at runtime please use the following commands:

sysctl net.inet.tcp.conntimeo ( 75 seconds by default )
sysctl net.socket.maxconn ( 64 by default )

They can be changed with the following commands:


sysctl net.inet.tcp.conntimeo 25
sysctl net.socket.maxconn 1024

In the header files you can adjust this:

/usr/src/sys/sys/socket.h:

#define SOMAXCONN 64

/usr/src/sys/netinet/tcp_timer.h

#define TCPTV_KEEP_INIT (75 * PR_SLOWHZ)

------
Linux
------

As of version 2.0.5 the Linux kernel is unusually vulnerable to this kind
of attack because the TCP timer is badly broken.  Half open sockets will
stay open as long as 20 minutes.  A fix for this is "in the works".  The
maximum number of half open connections is 128 by default.  It can be
changed in the file:

/usr/src/linux/include/linux/socket.h

#define SOMAXCONN       128

-------------------------------------------------------------------
Christopher Blizzard   | "The truth knocks on the door and you say
blizzard@nysernet.org  | 'Go away.  I'm looking for the truth,' and
NYSERNet, Inc.         | so it goes away."  --Robert Pirsig

Ken McKittrick                NYSERNet Customer Support
kmckittr@nysernet.org         Technical Consultant
support@nysernet.org          1-800-727-0793
NYSERNet, Inc.


From indus@professionals.com Fri Sep 20 14:56:25 1996
From: Sanjay Dani <indus@professionals.com>
To: nanog@merit.edu
Subject: Re: SYN and Solaris

> From: dvv@sprint.net (Dima Volodin)
> The values to play with are tcp_conn_req_max (defines the max value for
> listen queue), tcp_ip_notify_cinterval (makes tcp send another SYN???),
> tcp_ip_abort_cinterval (aborts connection and frees the slot). Note "c"
> in "cinterval". I understand these timer values work for both incoming
> and outgoing connections.

On Solaris, the default for tcp_ip_abort_cinterval is
180000 ms (3 mins). You could try reducing it to a few seconds
(at the risk of denying service to legit clients connecting over
slow links) using

	#ndd -set /dev/tcp tcp_ip_abort_cinterval 

This affects ALL tcp conenctions on the system.

Solaris also lets you set the parameter for a specific destination
port if the SYN attacker does not use a random destination port:

	#include 
	#include 
	....
	int value = ;
	
	setsockopt(fd, IPPROTO_TCP, TCP_CONN_ABORT_THERSHOLD, &value);
	....

Sanjay.

PS. This feature may or may not be documented--I got it from a
friend at SunSoft.


<webmaster@mtiweb.com>
Last modified