From email@example.com Fri Sep 20 10:19:02 1996 From: Ken McKittrick <firstname.lastname@example.org> To: email@example.com Subject: Re: SYN resistant kernels patches expanded ------ Solaris ------ The solaris kernel is configurable at run time using the "ndd" utility. The settings that you have to worry about are: tcp_conn_req_max - This is the number of half open connections that are allowed on a port. This is 32 seconds by default. You should change this to 1024. tcp_ip_abort_cinterval - This is the amount of time that a connection is tcp_ip_abort_cinterval - This is the amount of time that a connection is allowed to stay in a half open state. This is 180,000 (3 minutes) by default. You can change this to 25,000 if you want (25 seconds). Please note that by changing this you may find that SLIP/PPP users may have problems conacting your site. To view your current setting with the following commands: /usr/sbin/ndd /dev/tcp tcp_ip_abort_cinterval /usr/sbin/ndd /dev/tcp tcp_conn_req_max You can set these variables with the following commands: /usr/sbin/ndd -set /dev/tcp tcp_ip_abort_cinterval 25000 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 1024 [NOTE: more on Solaris here] ------ Digital Unix ------ Changing the settings for Digital Unix can be done in the following header files: /usr/sys/include/sys/socket.h: #define SOMAXCONN 8 This is the number of pending connections. You may want to change this to 1024. /usr/sys/include/netinet/tcp_timer.h #define TCPTV_KEEP_INIT ( 75*PR_SLOWHZ) This is the timeout of the half open connections in seconds. You may want to change this. ------ BSDI 2.1 ------ BSDI allows you to change these settings at run time and in the header files. To view your current settings at runtime please use the following commands: sysctl net.inet.tcp.conntimeo ( 75 seconds by default ) sysctl net.socket.maxconn ( 64 by default ) They can be changed with the following commands: sysctl net.inet.tcp.conntimeo 25 sysctl net.socket.maxconn 1024 In the header files you can adjust this: /usr/src/sys/sys/socket.h: #define SOMAXCONN 64 /usr/src/sys/netinet/tcp_timer.h #define TCPTV_KEEP_INIT (75 * PR_SLOWHZ) ------ Linux ------ As of version 2.0.5 the Linux kernel is unusually vulnerable to this kind of attack because the TCP timer is badly broken. Half open sockets will stay open as long as 20 minutes. A fix for this is "in the works". The maximum number of half open connections is 128 by default. It can be changed in the file: /usr/src/linux/include/linux/socket.h #define SOMAXCONN 128 ------------------------------------------------------------------- Christopher Blizzard | "The truth knocks on the door and you say firstname.lastname@example.org | 'Go away. I'm looking for the truth,' and NYSERNet, Inc. | so it goes away." --Robert Pirsig Ken McKittrick NYSERNet Customer Support email@example.com Technical Consultant firstname.lastname@example.org 1-800-727-0793 NYSERNet, Inc.
From email@example.com Fri Sep 20 14:56:25 1996 From: Sanjay Dani <firstname.lastname@example.org> To: email@example.com Subject: Re: SYN and Solaris > From: firstname.lastname@example.org (Dima Volodin) > The values to play with are tcp_conn_req_max (defines the max value for > listen queue), tcp_ip_notify_cinterval (makes tcp send another SYN???), > tcp_ip_abort_cinterval (aborts connection and frees the slot). Note "c" > in "cinterval". I understand these timer values work for both incoming > and outgoing connections. On Solaris, the default for tcp_ip_abort_cinterval is 180000 ms (3 mins). You could try reducing it to a few seconds (at the risk of denying service to legit clients connecting over slow links) using #ndd -set /dev/tcp tcp_ip_abort_cinterval
This affects ALL tcp conenctions on the system. Solaris also lets you set the parameter for a specific destination port if the SYN attacker does not use a random destination port: #include #include .... int value = ; setsockopt(fd, IPPROTO_TCP, TCP_CONN_ABORT_THERSHOLD, &value); .... Sanjay. PS. This feature may or may not be documented--I got it from a friend at SunSoft.