Tuning Digital UNIX against TCP SYN Flooding and IP Spoofing Attacks Patches are currently available for Digital UNIX which allow the system administrator to avoid or reduce the negative impacts of a TCP SYN attack. The tunable parameters needed to survive these attacks are present in the recently announced Digital UNIX V4.0A release, as well as the previously shipping Digital UNIX V3.2G and Digital UNIX V4.0 releases. Connect to the section titled UNIX Version and Patch Recommendations in the document, DIGITAL UNIX Tuning Parameters for Web Servers, for information on how to obtain patches and on the patches appropriate for each DIGITAL UNIX version. The CERT advisory contains the full details of the attack, reference the advisory for additional information: CERT(sm) Advisory CA-96.21 Topic: TCP SYN Flooding and IP Spoofing Attacks Original issue date: September 19, 1996 ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding http://www.cert.org/ Briefly, the Digital UNIX operating system can be further hardened against attacks of this nature through the use of two separate kernel tunable parameters. First, the listen queue size (sominconn) controls how many TCP SYN packets can be simultaneously handled before additional requests are discarded. Secondly, a timer (tcp_keepinit) controls how long these partial connections remain in the listen queue. The default listen queue length for Digital UNIX is 1024, while the timeout default value is 75 secs. Digital recommends the listen queue (sominconn) be increased to 32767, its maximum value. Warning: do NOT set sominconn (or somaxconn) above 32767, this is the maximum value allowed. Additionally, the partial connection listen queue timeout value (tcp_keepinit) should be reduced from the default of 150 (75 seconds) to a value of 30 (15 seconds). An example of patching the kernel is shown below: $ su Password: # dbx -k /vmunix ... dbx> assign sominconn=32767 dbx> patch sominconn=32767 dbx> assign tcp_keepinit=30 dbx> patch tcp_keepinit=30 dbx> quit # Note: the dbx "assign" command changes the in-memory running kernel image, while the "patch" command changes the on-disk /vmunix image. Use assign for an immediate change, and patch for long term changes which hold their value over one or more reboots. Be aware that if a kernel is re-built for any reason, that the new /vmunix image will need to be patched accordingly.