This message was forwarded thru several mailing lists, so i cut out
all the irrelevant stuff.
Also, for BSDI 2.1, correct commands that _set_ all those parameters are:
sysctl net.inet.tcp.conntimeo=25
and
sysctl net.socket.maxconn=1024
not as it says below.
Hope it helps,
-- yu
> Date: Fri, 20 Sep 1996 07:07:51 -0500
> From: Ken McKittrick <klmac@vcomm.net>
> Subject: Re: SYN resistant kernels patches expanded
>
> I took the info from your website and passed it on to one of our SysAdmins.
> He expanded it to include most of the popular Operating Systems. Feel free
> to add it to your WebSite. Please note the source though Chris Blizzard
> NYSERNet, Inc.
>
> Yes this is a Technical Mailing list, but you gotta have a sense of humor. :-)
>
>
> ------
> SunOS
> ------
>
> As taken from:
>
> http://www.netaxs.com/~freedman/syn/
>
> Please refer to this site for the object files listed below.
>
> ------
>
> How to make BSD (SunOS) kernels SYN-attack resistant
>
> The quick version: Grab the appropriate object files and rebuild your kernel
>
> The two key fixes in BSD-derived TCP OS code.
> For SunOS, I've supplied the three modules you'll need to replace
> for Sun4c and Sun4m architectures.
>
> The quick fix is to put these three modules in your
> /usr/kvm/sys/sun4c/OBJ or /usr/kvm/sys/sun4m/OBJ directory and
> build a new kernel.
>
> For sun4c: uipc_socket2.o tcp_input.o tcp_usrreq.o
>
> For sun4m: uipc_socket2.o tcp_input.o tcp_usrreq.o
>
>
> Our experience with the patches is that even on a lowly Sparc 1+, it can
> easily repel 50-200 SYNs/second. And a Sparc 10 model 30 can repel 1000-2000
> packets/second without a sweat.
>
>
> ------
> Solaris
> ------
>
> The solaris kernel is configurable at run time using the "ndd" utility.
> The settings that you have to worry about are:
>
> tcp_conn_req_max - This is the number of half open connections that are
> allowed on a port. This is 32 seconds by default. You should
> change this to 1024.
>
> tcp_ip_abort_cinterval - This is the amount of time that a connection is
> tcp_ip_abort_cinterval - This is the amount of time that a connection is
> allowed to stay in a half open state. This is 180,000
> (3 minutes) by default. You can change this to 25,000
> if you want (25 seconds). Please note that by changing this
> you may find that SLIP/PPP users may have problems conacting
> your site.
>
> To view your current setting with the following commands:
>
> /usr/sbin/ndd /dev/tcp tcp_ip_abort_cinterval
> /usr/sbin/ndd /dev/tcp tcp_conn_req_max
>
> You can set these variables with the following commands:
>
> /usr/sbin/ndd -set /dev/tcp tcp_ip_abort_cinterval 25000
> /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 1024
>
> ------
> Digital Unix
> ------
>
> Changing the settings for Digital Unix can be done in the following
> header files:
>
> /usr/sys/include/sys/socket.h:
>
> #define SOMAXCONN 8
>
> This is the number of pending connections. You may want to change this
> to 1024.
>
> /usr/sys/include/netinet/tcp_timer.h
>
> #define TCPTV_KEEP_INIT ( 75*PR_SLOWHZ)
>
>
> This is the timeout of the half open connections in seconds. You may
> want to change this.
>
> ------
> BSDI 2.1
> ------
>
> BSDI allows you to change these settings at run time and in the header
> files.
>
> To view your current settings at runtime please use the following commands:
>
> sysctl net.inet.tcp.conntimeo ( 75 seconds by default )
> sysctl net.socket.maxconn ( 64 by default )
>
> They can be changed with the following commands:
>
>
> sysctl net.inet.tcp.conntimeo 25
> sysctl net.socket.maxconn 1024
>
> In the header files you can adjust this:
>
> /usr/src/sys/sys/socket.h:
>
> #define SOMAXCONN 64
>
> /usr/src/sys/netinet/tcp_timer.h
>
> #define TCPTV_KEEP_INIT (75 * PR_SLOWHZ)
>
> ------
> Linux
> ------
>
>
> As of version 2.0.5 the Linux kernel is unusually vulnerable to this kind
> of attack because the TCP timer is badly broken. Half open sockets will
> stay open as long as 20 minutes. A fix for this is "in the works". The
> maximum number of half open connections is 128 by default. It can be
> changed in the file:
>
> /usr/src/linux/include/linux/socket.h
>
> #define SOMAXCONN 128
>
> -------------------------------------------------------------------
> Christopher Blizzard | "The truth knocks on the door and you say
> blizzard@nysernet.org | 'Go away. I'm looking for the truth,' and
> NYSERNet, Inc. | so it goes away." --Robert Pirsig