Rack of Ethernet switches.

TCP SYN Flood Attacks Against Solaris

Detecting an attack

Use one of the following commands to measure the number of TCP connections in the SYN_RCVD state. On BSD:

$ netstat -an -f inet | grep SYN_RCVD | wc -l

And, on Linux:

$ netstat -an -I inet | grep SYN_RCVD | wc -l

Hardening your system against attacks

Unless you've done the following, no version of Solaris can withstand a heavy attack.

First, decrease the abort timer value. Set it with a command similar to:

% ndd -set /dev/tcp tcp_ip_abort_cinterval 10000

Then lengthen the per-port backlog queue to a value in the thousands. In this example we use 8192.

1. Change the upper limit the system will enfore. Append the following line to the file /etc/init.d/inetinit

echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem

2. Change the system parameter specifying the per-port backlog queue length. Use a command similar to:

% ndd -set /dev/tcp_conn_req_max 8192

3. Upgrade system memory. We need 25 ports to service TCP SYN requests, and 600 bytes per entry. Multiply 25 times 600 times the number you used in the above command, and divide the result by 1,048,576 to arrive at the needed system memory in megabytes. For this example:

25 ports x 600 bytes/entry x 8192 entries/queue = 122,880,000 bytes

122,880,000 bytes / ( 1,048,576 bytes/MB) = 117.1875 MB
                                          = 120 MB (more or less)

For more information

Patches were once available at sunsolve1.sun.com, and you could join an advisory email list at security-alert@sun.com.

The above info was in Sun Security Bulletin #136.