TCP SYN Flood Attacks Against Solaris

Detecting an attack

Use the following command to monitor the number of TCP connections in the SYN_RCVD state: 

% netstat -an -f inet | grep SYN_RCVD | wc -l

Hardening your system against attacks

Unless you've done the following, no version of Solaris can withstand a heavy attack.

First, decrease the abort timer value. Set it with a command similar to: 

% ndd -set /dev/tcp tcp_ip_abort_cinterval 10000

Then lengthen the per-port backlog queue to a value in the thousands. In this example we use 8192.

1. Change the upper limit the system will enfore. Append the following line to the file /etc/init.d/inetinit 

echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem

2. Change the system parameter specifying the per-port backlog queue length. Use a command similar to: 

% ndd -set /dev/tcp_conn_req_max 8192

3. Upgrade system memory. We need 25 ports to service TCP SYN requests, and 600 bytes per entry. Multiply 25 times 600 times the number you used in the above command, and divide the result by 1,048,576 to arrive at the needed system memory in megabytes. For this example: 

25 ports x 600 bytes/entry x 8192 entries/queue = 122,880,000 bytes

122,880,000 bytes / ( 1,048,576 bytes/MB) = 117.1875 MB
                                          = 120 MB (more or less)

For more information

Patches are available at: http://sunsolve1.sun.com/

Send mail to: security-alert@sun.com with subject "Subscribe".

This info is from Sun Security Bulletin #136.

Back to the main Security Page

Click here to inquire about advertising on this or any page on this site.
Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact
Use /bin/vi! Manipulate images with ImageMagick! Hosted on OpenBSD
Hosted on Apache This site is viewable with any browser Valid XHTML 1.1! Valid CSS!
© Bob Cromwell Aug 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here, privacy policy here.