From proff Mon Sep 23 14:35:27 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA04436 for best-of-security; Mon, 23 Sep 1996 14:35:27 +1000 Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA04428 for proff@suburbia.net; Mon, 23 Sep 1996 14:35:07 +1000 X-Envelope-From: proff Mon Sep 23 14:35:06 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA04417 for best-of-security; Mon, 23 Sep 1996 14:35:06 +1000 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA03267 for ; Mon, 23 Sep 1996 14:31:35 +1000 Received: from churchy.gnu.ai.mit.edu(128.52.46.32) via SMTP by suburbia.net, id smtpd28269aaa; Mon Sep 23 01:06:55 1996 Received: by churchy.gnu.ai.mit.edu (8.6.12/8.6.12GNU) id UAA01903 for meditation-list; Sun, 22 Sep 1996 20:54:28 -0400 Received: from amber.ccs.neu.edu by churchy.gnu.ai.mit.edu (8.6.12/8.6.12GNU) with ESMTP id UAA01901 for ; Sun, 22 Sep 1996 20:54:24 -0400 Received: from krakatoa.ccs.neu.edu (dogcow@krakatoa.ccs.neu.edu [129.10.113.82]) by amber.ccs.neu.edu (8.7.5/8.7.3) with ESMTP id UAA16802 for ; Sun, 22 Sep 1996 20:54:23 -0400 (EDT) From: "Tom 'moof' Spindler" Received: (dogcow@localhost) by krakatoa.ccs.neu.edu (8.7.5/8.6.4) id UAA10199 for meditation@gnu.ai.mit.edu; Sun, 22 Sep 1996 20:54:23 -0400 (EDT) Message-Id: <199609230054.UAA10199@krakatoa.ccs.neu.edu> Subject: Re: SYN resistant kernels patches expanded (fwd) To: meditation@gnu.ai.mit.edu (yow! ) Date: Sun, 22 Sep 1996 20:54:22 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23beta2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: proff Approved: proff@suburbia.net (You don't want to know where this came from.) Forwarded message: This should take care of most OSs, more OS' will be added to http://www.netaxs.com/~freedman/syn/ as patches are released. The SunOS 4.1.x patches are nicest, because the tables will dynamically grow as the attack speed increases. SunOS 5.x is configurable on the fly, so others are writing simple programs to re-adjust the kernel parameters as the number of SYNs increase. Suitably high values might be enough for most systems. All the technical details on the changes are on the above URL. If you make a patch, please submit it there. - Matt ---------- Forwarded message ---------- Date: Fri, 20 Sep 1996 07:07:51 -0500 From: Ken McKittrick Reply-To: inet-access@earth.com To: inet-access@earth.com Subject: Re: SYN resistant kernels patches expanded Resent-Date: Fri, 20 Sep 1996 05:06:50 -0600 (MDT) Resent-From: inet-access@earth.com Avi I took the info from your website and passed it on to one of our SysAdmins. He expanded it to include most of the popular Operating Systems. Feel free to add it to your WebSite. Please note the source though Chris Blizzard NYSERNet, Inc. Yes this is a Technical Mailing list, but you gotta have a sense of humor. :-) ------ SunOS ------ As taken from: http://www.netaxs.com/~freedman/syn/ Please refer to this site for the object files listed below. ------ How to make BSD (SunOS) kernels SYN-attack resistant The quick version: Grab the appropriate object files and rebuild your kernel The two key fixes in BSD-derived TCP OS code. For SunOS, I've supplied the three modules you'll need to replace for Sun4c and Sun4m architectures. The quick fix is to put these three modules in your /usr/kvm/sys/sun4c/OBJ or /usr/kvm/sys/sun4m/OBJ directory and build a new kernel. For sun4c: uipc_socket2.o tcp_input.o tcp_usrreq.o For sun4m: uipc_socket2.o tcp_input.o tcp_usrreq.o Our experience with the patches is that even on a lowly Sparc 1+, it can easily repel 50-200 SYNs/second. And a Sparc 10 model 30 can repel 1000-2000 packets/second without a sweat. ------ Solaris ------ The solaris kernel is configurable at run time using the "ndd" utility. The settings that you have to worry about are: tcp_conn_req_max - This is the number of half open connections that are allowed on a port. This is 32 seconds by default. You should change this to 1024. tcp_ip_abort_cinterval - This is the amount of time that a connection is tcp_ip_abort_cinterval - This is the amount of time that a connection is allowed to stay in a half open state. This is 180,000 (3 minutes) by default. You can change this to 25,000 if you want (25 seconds). Please note that by changing this you may find that SLIP/PPP users may have problems conacting your site. To view your current setting with the following commands: /usr/sbin/ndd /dev/tcp tcp_ip_abort_cinterval /usr/sbin/ndd /dev/tcp tcp_conn_req_max You can set these variables with the following commands: /usr/sbin/ndd -set /dev/tcp tcp_ip_abort_cinterval 25000 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 1024 ------ Digital Unix ------ Changing the settings for Digital Unix can be done in the following header files: /usr/sys/include/sys/socket.h: #define SOMAXCONN 8 This is the number of pending connections. You may want to change this to 1024. /usr/sys/include/netinet/tcp_timer.h #define TCPTV_KEEP_INIT ( 75*PR_SLOWHZ) This is the timeout of the half open connections in seconds. You may want to change this. ------ BSDI 2.1 ------ BSDI allows you to change these settings at run time and in the header files. To view your current settings at runtime please use the following commands: sysctl net.inet.tcp.conntimeo ( 75 seconds by default ) sysctl net.socket.maxconn ( 64 by default ) They can be changed with the following commands: sysctl net.inet.tcp.conntimeo 25 sysctl net.socket.maxconn 1024 In the header files you can adjust this: /usr/src/sys/sys/socket.h: #define SOMAXCONN 64 /usr/src/sys/netinet/tcp_timer.h #define TCPTV_KEEP_INIT (75 * PR_SLOWHZ) ------ Linux ------ As of version 2.0.5 the Linux kernel is unusually vulnerable to this kind of attack because the TCP timer is badly broken. Half open sockets will stay open as long as 20 minutes. A fix for this is "in the works". The maximum number of half open connections is 128 by default. It can be changed in the file: /usr/src/linux/include/linux/socket.h #define SOMAXCONN 128 ------------------------------------------------------------------- Christopher Blizzard | "The truth knocks on the door and you say blizzard@nysernet.org | 'Go away. I'm looking for the truth,' and NYSERNet, Inc. | so it goes away." --Robert Pirsig Ken McKittrick NYSERNet Customer Support kmckittr@nysernet.org Technical Consultant support@nysernet.org 1-800-727-0793 ============================== ISP Mailing List ============================== Email ``unsubscribe'' to inet-access-request@earth.com to be removed. Only quote enough text in your message to give proper context.