AltaVista Firewall for UNIX ping patches.
PROBLEM:
1..Certain 'ping' commands from Windows NT and Windows 95
systems can remotely panic UNIX systems, denying service to users and
operators of those UNIX systems.
2..Certain hosts are vulnerable to a denial of service attack called
"SYN Flood Attack"
From time to time, Digital[TM] releases patches to Digital UNIX .
These patches are often released to fix known bugs, or to improve
performance of machines running Digital UNIX.
Never apply a Digital UNIX patch to a Digital UNIX machine running
the AltaVista Firewall, unless Digital support can confirm that the
patch does not adversely affect how the AltaVista[TM] Firewall works.
The installation procedure for the AltaVista Firewall applies patches
to the Digital UNIX kernel to support the functions of the firewall.
If further patches are applied to the kernel, the patches supporting
the AltaVista Firewall could be overwritten, and some functions of
the firewall could be disabled.
We therefore recommend that you apply one of the following
AltaVista Firewall patches instead.
D. UNIX Vers AltaVista Firewall Patch MD5 Checksum
------------ ------------------------- -----------
V3.2g afwu-v2.0-ping_DUv3.2g.tar 189edcc8e9f0f3149c2b9ef751e39843
V4.0 afwu-v2.0-ping_DUv4.0.tar ccc6a975bff58aa745efce44681509d7
V4.0a afwu-v2.0-ping_DUv4.0a.tar c8661aae78d2d4090540a6787b6d7875
To apply any of these patches :
1.. Verify that you have the correct tar file by generating
the md5 checksum and comparing it to thre value listed above.
>md5 afwu-v2.0-ping_DUv3.2g.tar
MD5 (afwu-v2.0-ping_DUv3.2g.tar)=189edcc8e9f0f3149c2b9ef751e39843
2.. Unpack the tar file using for example :
>tar xvf afwu-v2.1-ping_duv3.2g.tar
3.. Change directory to the directory containing the patch :
>cd pingpatch-v32g
4.. Su to root
5.. Install the patch using :
#./applypatch
6.. Reboot the firewall
#shutdown -r now
Tuning Digital UNIX to improve the AltaVista Firewall performance:
-----------------------------------------------------------------
After applying the relevant AltaVista Firewall patch you can further
tune your system to manage problems involving denial of service, such as
SYN flood attacks.
In a SYN flood attack, a remote host sends you a SYN packet with a nonexistent
source address. This uses a connection slot while your host attempts to
acknowledge the connection to the non-existent source.
The number of slots available and the amount of time a slot remains allocated
arespecified by the following kernel parameters:
somaxconn
Sets the maximum number of pending requests allowed to wait on a
listening socket. The default value for Versions 3.2G and 4.0 is 1024.
The maximum value is 32767.
sominconn
Sets the minimum number of pending connections allowed on a
listening socket. When a user process calls listen with a backlog
less than sominconn, the backlog will be set to sominconn. The
sominconn parameter overrides somaxconn. The default value for
Versions 3.2G and 4.0 is 1. The maximum value is 32767.
tcp_keepinit
This is the amount of time a partially established connection remains
on the listen queue before it times out (for example, if a client
sends a SYN but never answers our SYN/ACK).
Partially established connections use slots on the listen queue. If
this queue starts to fill with connections in SYN_RCVD state, you can
decrease the value of the tcp_keepinit parameter to make those
partial connects time out sooner. You specify the parameter in half-
second units. The default value is 150 (that is, 75 seconds).
Note:
Be very careful when you modify this parameter, as legitimate clients may take
some time to respond to SYN/ACK.
To determine the network load on your system while the machine is operating
in its maximum load condition (that is, when it is receiving the maximum
rate of new connections), use the following command:
# /usr/sbin/netstat -An | grep SYN_RCVD
The output from this command may have many lines of the following form:
20e4500 tcp 0 0 10.222.222.12.9996 22.222.222.123.194 SYN_RCVD
If so, your system may have a problem receiving connections and you should
tune your system accordingly. You can tune the kernel on your computer by
modifying the values of three kernel variables described above as follows:
You can modify the somaxconn and sominconn parameters using the
sysconfig command to increase the number of available slots for partially
established connections. You can set these parameters to a maximum value
of 32767.
It is recommended that you assign the sominconn and somaxconn parameters
the same values. This increases the number of slots available, and
therefore significantly improves the ability of your system to continue
to serve all connection requests from valid clients.
For more information on the sysconfig command, see the man pages for
sysconfig and sysconfigdb.
You can modify the tcp_keepinit using the sysconfig command to decrease
the amount of time a partially established connection remains on the
listen queue before it times out.
It is strongly recommended that you have some knowledge of the characteristics
of the network before you decrease this parameter. Be very careful when you
modify this parameter, as legitimate clients may take some time to respond to
SYN/ACK due to network latency.
Tuning Digital UNIX to Improve Web Proxy Performance
----------------------------------------------------
You can improve the web proxy performance by increasing the lookup speed for
the TCP connection table. You can do this by increasing the size of the
hashlist for the TCP inpcb lookup table. To do this, you modify the following
kernel parameter:
tcbhashsize
The number of hash buckets used for the TCP connection
table used in the kernel. The default value is 32. This value
should be specified as a power of 2 and may be set to a
maximum of 1024.
You can modify the value of tcbhashsize by patching the kernel using dbx.
The following steps can be used on Digital UNIX.
# /usr/bin/dbx -k /vmunix /dev/mem
dbx version 3.11.10
Type 'help' for help.
stopped at [thread_block:2025 ,0xfffffc00002a7a70] Source not available
warning: Files compiled -g3: parameter values probably wrong
(dbx) patch tcbhashsize=128
128
(dbx) quit
# /sbin/sysconfig -q inet tcbhashsize
inet:
tcbhashsize = 128
#
This patch can be found at any of these sites:
Colorado Site
Georgia Site
Files on this server are as follows:
afwu-v2.1-ping.README
afwu-v2.1-ping_DUv3.2g.tar
afwu-v2.1-ping_DUv4.0.tar
afwu-v2.1-ping_DUv4.0a.tar
|