SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
gears
compaq support options
support home
software & drivers
ask Compaq
reference library
support forum
frequently asked questions
support tools
warranty information
service centers
contact support
product resources
parts for your system
give us feedback
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
} feedback
.
patches by topic
.
} DOS
.
} OpenVMS
.
} Security
.
} Tru64 Unix
.
} Ultrix 32
.
} Windows
.
} Windows NT
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping
AltaVista Firewall for UNIX ping patches.

PROBLEM: 1..Certain 'ping' commands from Windows NT and Windows 95 systems can remotely panic UNIX systems, denying service to users and operators of those UNIX systems. 2..Certain hosts are vulnerable to a denial of service attack called "SYN Flood Attack" From time to time, Digital[TM] releases patches to Digital UNIX . These patches are often released to fix known bugs, or to improve performance of machines running Digital UNIX. Never apply a Digital UNIX patch to a Digital UNIX machine running the AltaVista Firewall, unless Digital support can confirm that the patch does not adversely affect how the AltaVista[TM] Firewall works. The installation procedure for the AltaVista Firewall applies patches to the Digital UNIX kernel to support the functions of the firewall. If further patches are applied to the kernel, the patches supporting the AltaVista Firewall could be overwritten, and some functions of the firewall could be disabled. We therefore recommend that you apply one of the following AltaVista Firewall patches instead. D. UNIX Vers AltaVista Firewall Patch MD5 Checksum ------------ ------------------------- ------------ V3.2c dfwu-v2.0-ping_DUv3.2cd.tar 8f3d456bafbb62115eadaed883807e7e V3.2d dfwu-v2.0-ping_DUv3.2cd.tar 8f3d456bafbb62115eadaed883807e7e To apply any of these patches : 1.. Verify that you have the correct tar file by generating the md5 checksum and comparing it to thre value listed above. >md5 afwu-v2.0-ping_DUv3.2cd.tar MD5 (afwu-v2.0-ping_DUv3.2cd.tar)= 8f3d456bafbb62115eadaed883807e7e 2.. Unpack the tar file using for example : >tar xvf afwu-v2.1-ping_duv3.2cd.tar 3.. Change directory to the directory containing the patch : >cd pingpatch-v32cd 4.. Su to root 5.. Install the patch using : #./applypatch 6.. Reboot the firewall #shutdown -r now Tuning Digital UNIX to improve the AltaVista Firewall performance: ----------------------------------------------------------------- After applying the relevant AltaVista Firewall patch you can further tune your system to manage problems involving denial of service, such as SYN flood attacks. In a SYN flood attack, a remote host sends you a SYN packet with a nonexistent source address. This uses a connection slot while your host attempts to acknowledge the connection to the non-existent source. The number of slots available and the amount of time a slot remains allocated arespecified by the following kernel parameters: somaxconn Sets the maximum number of pending requests allowed to wait on a listening socket. The default value for Versions 3.2G and 4.0 is 1024. The maximum value is 32767. sominconn Sets the minimum number of pending connections allowed on a listening socket. When a user process calls listen with a backlog less than sominconn, the backlog will be set to sominconn. The sominconn parameter overrides somaxconn. The default value for Versions 3.2G and 4.0 is 1. The maximum value is 32767. tcp_keepinit This is the amount of time a partially established connection remains on the listen queue before it times out (for example, if a client sends a SYN but never answers our SYN/ACK). Partially established connections use slots on the listen queue. If this queue starts to fill with connections in SYN_RCVD state, you can decrease the value of the tcp_keepinit parameter to make those partial connects time out sooner. You specify the parameter in half- second units. The default value is 150 (that is, 75 seconds). Note: Be very careful when you modify this parameter, as legitimate clients may take some time to respond to SYN/ACK. To determine the network load on your system while the machine is operating in its maximum load condition (that is, when it is receiving the maximum rate of new connections), use the following command: # /usr/sbin/netstat -An | grep SYN_RCVD The output from this command may have many lines of the following form: 20e4500 tcp 0 0 10.222.222.12.9996 22.222.222.123.194 SYN_RCVD If so, your system may have a problem receiving connections and you should tune your system accordingly. You can tune the kernel on your computer by modifying the values of three kernel variables described above as follows: You can modify the somaxconn and sominconn parameters using the sysconfig command to increase the number of available slots for partially established connections. You can set these parameters to a maximum value of 32767. It is recommended that you assign the sominconn and somaxconn parameters the same values. This increases the number of slots available, and therefore significantly improves the ability of your system to continue to serve all connection requests from valid clients. For more information on the sysconfig command, see the man pages for sysconfig and sysconfigdb. You can modify the tcp_keepinit using the sysconfig command to decrease the amount of time a partially established connection remains on the listen queue before it times out. It is strongly recommended that you have some knowledge of the characteristics of the network before you decrease this parameter. Be very careful when you modify this parameter, as legitimate clients may take some time to respond to SYN/ACK due to network latency. Tuning Digital UNIX to Improve Web Proxy Performance ---------------------------------------------------- You can improve the web proxy performance by increasing the lookup speed for the TCP connection table. You can do this by increasing the size of the hashlist for the TCP inpcb lookup table. To do this, you modify the following kernel parameter: tcbhashsize The number of hash buckets used for the TCP connection table used in the kernel. The default value is 32. This value should be specified as a power of 2 and may be set to a maximum of 1024. You can modify the value of tcbhashsize by patching the kernel using dbx. The following steps can be used on Digital UNIX. # /usr/bin/dbx -k /vmunix /dev/mem dbx version 3.11.10 Type 'help' for help. stopped at [thread_block:2025 ,0xfffffc00002a7a70] Source not available warning: Files compiled -g3: parameter values probably wrong (dbx) patch tcbhashsize=128 128 (dbx) quit # /sbin/sysconfig -q inet tcbhashsize inet: tcbhashsize = 128 #



This patch can be found at any of these sites:

Colorado Site
Georgia Site



Files on this server are as follows:

dfwu-v2.0-ping.README
dfwu-v2.0-ping_DUv3.2cd.tar
      

privacy and legal statement