SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
gears
compaq support options
support home
software & drivers
ask Compaq
reference library
support forum
frequently asked questions
support tools
warranty information
service centers
contact support
product resources
parts for your system
give us feedback
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
} feedback
.
patches by topic
.
} DOS
.
} OpenVMS
.
} Security
.
} Tru64 Unix
.
} Ultrix 32
.
} Windows
.
} Windows NT
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping 

               AltaVista Firewall for UNIX ping patches.


PROBLEM: 

1..Certain 'ping' commands from Windows NT and Windows 95
systems can remotely panic UNIX systems, denying service to users and
operators of those UNIX systems.

2..Certain hosts are vulnerable to a denial of service attack called
"SYN Flood Attack"

From time to time, Digital[TM] releases patches to Digital UNIX . 
These patches are often released to fix known bugs, or to improve 
performance of machines running Digital UNIX. 

Never apply a Digital UNIX patch to a Digital UNIX machine running
the AltaVista Firewall, unless Digital support can confirm that the 
patch does not adversely affect how the AltaVista[TM] Firewall works.

The installation procedure for the AltaVista Firewall applies patches 
to the Digital UNIX kernel to support the functions of the firewall. 
If further patches are applied to the kernel, the patches supporting 
the AltaVista Firewall could be overwritten, and some functions of 
the firewall could be disabled.

We therefore recommend that you apply one of the following
AltaVista Firewall patches instead.


D. UNIX Vers    AltaVista Firewall Patch      MD5 Checksum
------------    -------------------------     ------------
   V3.2c        dfwu-v2.0-ping_DUv3.2cd.tar   8f3d456bafbb62115eadaed883807e7e
   V3.2d        dfwu-v2.0-ping_DUv3.2cd.tar   8f3d456bafbb62115eadaed883807e7e



To apply any of these patches  :

     1.. Verify that you have the correct tar file by generating
         the md5 checksum and comparing it to thre value listed above.
         >md5 afwu-v2.0-ping_DUv3.2cd.tar

       MD5 (afwu-v2.0-ping_DUv3.2cd.tar)=
                                      8f3d456bafbb62115eadaed883807e7e
     2.. Unpack the tar file using for example :
         >tar xvf afwu-v2.1-ping_duv3.2cd.tar

     3.. Change directory to the directory containing the patch :
         >cd pingpatch-v32cd

     4..  Su to root

     5.. Install the patch using :
         #./applypatch

     6.. Reboot the firewall
         #shutdown -r now



Tuning Digital UNIX to improve the AltaVista Firewall performance:
-----------------------------------------------------------------
After applying the relevant AltaVista Firewall patch you can further 
tune your system to manage problems involving denial of service, such as 
SYN flood attacks.
In a SYN flood attack, a remote host sends you a SYN packet with a nonexistent 
source address. This uses a connection slot while your host attempts to 
acknowledge the connection to the non-existent source.

The number of slots available and the amount of time a slot remains allocated 
arespecified by the following kernel parameters:

somaxconn
Sets the maximum number of pending requests allowed to wait on a
listening socket. The default value for Versions 3.2G and 4.0 is 1024.
The maximum value is 32767.

sominconn
Sets the minimum number of pending connections allowed on a
listening socket. When a user process calls listen with a backlog
less than sominconn, the backlog will be set to sominconn. The
sominconn parameter overrides somaxconn. The default value for
Versions 3.2G and 4.0 is 1. The maximum value is 32767.

tcp_keepinit
This is the amount of time a partially established connection remains
on the listen queue before it times out (for example, if a client
sends a SYN but never answers our SYN/ACK).
Partially established connections use slots on the listen queue. If
this queue starts to fill with connections in SYN_RCVD state, you can
decrease the value of the tcp_keepinit parameter to make those
partial connects time out sooner. You specify the parameter in half-
second units. The default value is 150 (that is, 75 seconds).

Note:
Be very careful when you modify this parameter, as legitimate clients may take
some time to respond to SYN/ACK.

To determine the network load on your system while the machine is operating 
in its maximum load condition (that is, when it is receiving the maximum 
rate of new connections), use the following command:

# /usr/sbin/netstat -An | grep SYN_RCVD
The output from this command may have many lines of the following form:

20e4500 tcp   0  0  10.222.222.12.9996 22.222.222.123.194 SYN_RCVD

If so, your system may have a problem receiving connections and you should 
tune your system accordingly. You can tune the kernel on your computer by 
modifying the values of three kernel variables described above as follows:
  
You can modify the somaxconn and sominconn parameters using the
sysconfig command to increase the number of available slots for partially
established connections. You can set these parameters to a maximum value 
of 32767.
 
It is recommended that you assign the sominconn and somaxconn parameters 
the same values. This increases the number of slots available, and 
therefore significantly improves the ability of your system to continue 
to serve all connection requests from valid clients.

For more information on the sysconfig command, see the man pages for
sysconfig and sysconfigdb.

You can modify the tcp_keepinit using the sysconfig command to decrease
the amount of time a partially established connection remains on the 
listen queue before it times out.
It is strongly recommended that you have some knowledge of the characteristics
of the network before you decrease this parameter. Be very careful when you 
modify this parameter, as legitimate clients may take some time to respond to
SYN/ACK due to network latency.

Tuning Digital UNIX to Improve Web Proxy Performance
----------------------------------------------------
You can improve the web proxy performance by increasing the lookup speed for 
the TCP connection table. You can do this by increasing the size of the 
hashlist for the TCP inpcb lookup table. To do this, you modify the following 
kernel parameter:

tcbhashsize
The number of hash buckets used for the TCP connection
table used in the kernel. The default value is 32. This value
should be specified as a power of 2 and may be set to a
maximum of 1024.


You can modify the value of tcbhashsize by patching the kernel using dbx. 
The following steps can be used on Digital UNIX.

# /usr/bin/dbx -k /vmunix /dev/mem
dbx version 3.11.10
Type 'help' for help.
stopped at [thread_block:2025 ,0xfffffc00002a7a70] Source not available
warning: Files compiled -g3: parameter values probably wrong
(dbx) patch tcbhashsize=128
128
(dbx) quit

# /sbin/sysconfig -q inet tcbhashsize
inet:
tcbhashsize = 128
#

This patch can be found at any of these sites:

Colorado Site
Georgia Site


Files on this server are as follows:

dfwu-v2.0-ping.README
dfwu-v2.0-ping_DUv3.2cd.tar

privacy and legal statement