Detecting an attack
Use one of the following commands to measure
the number of TCP connections
$ netstat -an -f inet | grep SYN_RCVD | wc -l
And, on Linux:
$ netstat -an -I inet | grep SYN_RCVD | wc -l
Hardening your system against attacks
Unless you've done the following, no version of Solaris can withstand a heavy attack.
First, decrease the abort timer value. Set it with a command similar to:
% ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
Then lengthen the per-port backlog queue to a value in the thousands. In this example we use 8192.
Change the upper limit the system will enfore.
Append the following line to the file
echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem
2. Change the system parameter specifying the per-port backlog queue length. Use a command similar to:
% ndd -set /dev/tcp_conn_req_max 8192
3. Upgrade system memory. We need 25 ports to service TCP SYN requests, and 600 bytes per entry. Multiply 25 times 600 times the number you used in the above command, and divide the result by 1,048,576 to arrive at the needed system memory in megabytes. For this example:
25 ports x 600 bytes/entry x 8192 entries/queue = 122,880,000 bytes 122,880,000 bytes / ( 1,048,576 bytes/MB) = 117.1875 MB = 120 MB (more or less)
For more information
Patches were once available at sunsolve1.sun.com, and you could join an advisory email list at email@example.com.
The above info was in Sun Security Bulletin #136.