Showing posts with label Networking. Show all posts
Showing posts with label Networking. Show all posts

Disabling IPv6 support in Red Hat Enterprise Linux

source from: https://access.redhat.com/solutions/8709

Disabling IPv6 support in Red Hat Enterprise Linux 7

  • Disable ipv6 built-in kernel module.
  1. Edit /etc/default/grub and append ipv6.disable=1 to GRUB_CMDLINE_LINUX like the following sample:
    Raw
    GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root ipv6.disable=1"
  2. Run the grub2-mkconfig command to regenerate the grub.cfg file:
    Raw
    # grub2-mkconfig -o /boot/grub2/grub.cfg

Alternatively, on UEFI systems, run the following:        
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  3. Reboot the system to disable IPv6 support.
  • Alternatively, this can be done via sysctl settings. Please be aware that this breaks SSH Xforwarding unless sshd_config containsAddressFamily inet.
  1. Create a new file named /etc/sysctl.d/ipv6.conf and add the following options:
    Raw
    # To disable for all interfaces
net.ipv6.conf.all.disable_ipv6 = 1
# the protocol can be disabled for specific interfaces as well.
net.ipv6.conf..disable_ipv6 = 1
  2. The new settings would then need to be reloaded with:
    Raw
    # sysctl -p /etc/sysctl.d/ipv6.conf

Disabling IPv6 support in Red Hat Enterprise Linux 6

  1. Create a file /etc/modprobe.d/ipv6.conf with the following contents:
    Raw
    options ipv6 disable=1
  2. For completeness, it is a good idea to configure the ip6tables service not to start at boot by issuing the following command:
    Raw
    # chkconfig ip6tables off
  3. Alternatively, the IPv6 support can also be disabled in the kernel through /etc/sysctl.conf by setting following parameter:
    Raw
    # IPv6 support in the kernel, set to 0 by default
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Please be aware that this breaks SSH Xforwarding unless AddressFamily inet is set in sshd_config.
  1. Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address
    Raw
    # cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts
  2. Optionally to prevent rpc.nfsd setting up IPv6 sockets while NFS server is running, edit /etc/netconfig for the lines starting with udp6 and tcp6; change the "v" in the third column to "-"(hyphen/dash)
  3. Reboot the system to disable IPv6 support.
Note: The solution above only disables(unhooks all of the calls) the ipv6 module, but doesn't prevent it from loading. Unloading the module isn't recommended due to the dependency factors it has with other modules(for example: bonding) and services. To prevent the module from loading, modify/etc/modprobe.d/ipv6.conf with the following only:
Raw
install ipv6 /bin/true

Re-enabling IPv6 support in Red Hat Enterprise Linux 6

  1. Review the files under /etc/modprobe.d/ and remove (or comment out) any of the following lines:
    Raw
    options ipv6 disable=1
install ipv6 /bin/true
blacklist ipv6
alias ipv6 off
  2. Configure the ip6tables service to start at boot by issuing the following command:
    Raw
    # chkconfig ip6tables on
  3. Make sure the following options to your /etc/sysctl.conf are
    Raw
    # ipv6 support in the kernel, set to 0 by default
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
  4. Make sure the following line exists in /etc/hosts, and is not commented out.
    Raw
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
  5. Edit /etc/netconfig for the lines starting with udp6 and tcp6; change the "-"(hyphen/dash) in the third column to "v"
  6. Reboot the system to activate IPv6 support.

Disabling IPv6 support in Red Hat Enterprise Linux 5

  1. Remove the following line (if present) from the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 ipv6
  2. Add the following line to the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 off
  3. In versions of Red Hat Enterprise Linux before 5.4, add the following line to the /etc/modprobe.conf file:
    Raw
    alias ipv6 off
  4. In Red Hat Enterprise Linux 5.4 and later, add the following line to the /etc/modprobe.conf file:
    Raw
    options ipv6 disable=1
  5. To prevent errors during the network initscript start routine, change the NETWORKING_IPV6 parameter in the /etc/sysconfig/network file to the following:
    Raw
    NETWORKING_IPV6=no
  6. Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address
    Raw
    # cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts
  7. For completeness, it is a good idea to configure the ip6tables service not to start at boot by issuing the following command:
    Raw
    # chkconfig ip6tables off
  8. Reboot the system to disable IPv6 support.

Re-enabling IPv6 support in Red Hat Enterprise Linux 5

  1. Remove the following lines (if present) from the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 off
alias ipv6 off
options ipv6 disable=1
  2. Add the following line to the /etc/modprobe.conf file (if not present already):
    Raw
    alias net-pf-10 ipv6
  3. Change the NETWORKING_IPV6 parameter in the /etc/sysconfig/network file to the following:
    Raw
    NETWORKING_IPV6=yes
  4. Make sure the following line exists in /etc/hosts, and is not commented out.
    Raw
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
  5. For completeness, it is a good idea to configure the ip6tables service to start at boot by issuing the following command:
    Raw
    # chkconfig ip6tables on
  6. Reboot the system to re-enable IPv6 support.

Disabling IPv6 support in Red Hat Enterprise Linux 4

  1. Remove the following line (if present) from the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 ipv6
  2. Add the following line to the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 off
  3. Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address
    Raw
    # cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts
  4. Reboot the system to disable IPv6 support.

Re-enabling IPv6 support in Red Hat Enterprise Linux 4

  1. Remove the following line from the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 off
  2. Add the following line to the /etc/modprobe.conf file:
    Raw
    alias net-pf-10 ipv6
  3. Make sure the following line exists in /etc/hosts, and is not commented out.
    Raw
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
  4. Reboot the system to re-enable IPv6 support.

Additional notes

Disabling IPv6 by blacklisting the module invalidates bonding in the system.
No comments:

Subnetmask in HEX



Overview of common subnets and masks

Mask Hosts  Usable Netmask          Hex Mask
/30  4      2      255.255.255.252  fffffffc  this is 1/64 of a Class C net
/29  8      6      255.255.255.248  fffffff8  this is 1/32 of a Class C net
/28  16     14     255.255.255.240  fffffff0  this is 1/16 of a Class C net
/27  32     30     255.255.255.224  ffffffe0  this is 1/8 of a Class C net
/26  64     62     255.255.255.192  ffffffc0  this is 1/4 of a Class C net
/24  256    254    255.255.255.0    ffffff00  this is a Class C net
/23  512    510    255.255.254.0    fffffe00  these are 2 Class C net
/22  1024   1022   255.255.252.0    fffffc00  these are 4 Class C net
/21  2048   2046   255.255.248.0    fffff800  these are 8 Class C net
/20  4096   4094   255.255.240.0    fffff000  these are 16 Class C net
/19  8192   8190   255.255.224.0    ffffe000  these are 32 Class C net
/18  16384  16382  255.255.192.0    ffffc000  these are 64 Class C net
/17  32768  32766  255.255.128.0    ffff8000  these are 128 Class C net
/16  65536  65534  255.255.0.0      ffff0000  these are 256 Class C net = Class B net
No comments:

How to show my NIC MTU value, and how do I change it to use Jumbo Frame?

How to show my NIC MTU value, and how do I change it to use Jumbo Frame?

list current value
$ lsattr -E -l en0 -a mtu                     

With the chdev command, the interface cannot be changed while it is in use. Change is effective across reboots.
$ chdev -l en0 -a mtu=9000                          

An alternate method is as follows: ifconfig interface_name mtu NewValueThis changes the MTU size on a running system, but will not preserve the value across a system reboot.
$ ifconfig en0 mtu 9000

Use SMIT to change permanent, and does not requires restart.
$ smit chif

Note:
Some application that uses persistent connection requires a restart in order to work properly after the change of MTU.


For the Gigabit Ethernet adapter, use the device attribute jumbo_frames=yes to enable jumbo frames (just setting MTU to 9000 on the interface is not enough).
No comments:

OpenSSL HeartBleed (CVE-2014-0160)

Was my OpenSSL affected by the OpenSSL HeartBleed Bug (CVE-2014-0160)?

https://rhn.redhat.com/errata/RHSA-2014-0376.html
https://www.openssl.org/news/secadv_20140407.txt
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://www.inmotionhosting.com/support/website/security/protect-data-fix-openssl-heartbleed-bug
https://www.nccgroup.com/en/blog/2014/04/heartbleed-openssl-vulnerability/


It really depends on your SSL termination setup.
If the SSL being terminated directly on your Apache server, then you should make sure your version being patch or not in the affected version.

Else if your SSL being terminated in Network Load Balancer like F5 LTM, you will need to check on the model you are using and the SSL mode being used.

You may find links above for steps on how to check.

How to test from remote?
Run below from client machine, if it returns “safe” means your version was not affected.
$ openssl s_client -connect www.coursera.org:443  -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe

safe

Or you can download the script from below and run:
https://gist.github.com/takeshixx/10107280

[root@rhel6 test]# ./hb-test.py -p 443 www.hlb.com.my
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 53
 ... received message: type = 22, ver = 0302, length = 3234
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

More detailed info from Redhat can be fine here:

https://access.redhat.com/site/articles/786463



No comments:

AIX network route


show routing table
$ netstat -rn

add static route
$ route add -net 172.20.9.0 -netmask 255.255.255.0 172.20.8.67
$ route add -net 10.1.38.0 -netmask 255.255.255.0 172.22.1.128 -if en2

delete static route
$ route delete -net 172.20.9.0

Make persistent route

$ smitty tcpip
$ smitty route
No comments:

PMTU (Path MTU) Discovery


Summary

Internet computers, mostly servers, sometimes send packets too large for part of a given path.  Not handling this correctly can make the server unusable for some people.
Correct handling of oversize packets is by one of two means, as chosen by the sending computer (the server):

Permitting Packet fragmentation - used mostly by older systems
Path MTU discovery - asking for ICMP notification when fragmentation would be needed

By default, modern servers disable fragmentation (DF) and try to use path MTU discovery, but sometimes the system administrators block the ICMP notifications.  Overall, these servers ask for ICMP notification of packets that are too large and then refuse to accept the notifications they ask for.
Unable to learn that they are sending packets are too big for some paths, the servers are unable to send data to some users.  To overcome this they need to accept appropriate ICMP types or allow fragmentation.

Path MTU Discovery

Every network link has a maximum packet size called the link's MTU (Maximum Transmission Unit).  The full path from one computer to another may travel across many links with different MTUs.  The smallest MTU for all the links in a path is the path MTU.

If a packet starts out on a network segment with a large MTU, it may arrive at a link with a smaller MTU and be too big to fit.  Most servers are on segments with large MTUs, but it is increasingly common for internet users to be connected via links with reduced MTUs, so it is becoming common for some packets to be too big.

How the problem of oversize packets has been handled has evolved considerably over time.  The original approach was to send only small packets corresponding to the TCP/IP default MTU (576 bytes).  (To this day, a sending system needs permission from the receiving system to send larger packets, but that permisssion is given as a matter of routine.)

For some packets, especially those sent by older equipment, an oversize packet can be sent by breaking it into fragments and sending the fragments as smaller packets.  The fragments can be reassembled downstream to reconstruct the original large packet, but this packet fragmentation has several problems involving both efficiency and security.

Newer servers try to optimize their transmissions by discovering the path MTU and sending packets of the maximum size when there's enough data to fill them. The procedure for doing this was standardized and published as RFC 1191 in 1990, but it did not become widely deployed until years later. By mid 2002, 80% to 90% of computers on the internet used path MTU discovery.

The basic procedure is simple - send the largest packet you can, and if it won't fit through some link get back a notification saying what size will fit.  The notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4).  The notifications are requested by setting the "do not fragment" (DF) bit in packets that are sent out.

Some network and system administrators view all ICMPs as risky and block them all, disabling path MTU discovery, usually without even realizing it.  Of the several dozen ICMP types and subtypes, some do pose some risk, but the risk is mostly mild and is of the "denial of service" nature.  That is, an attacker can use them to interfere with service on and from the network.

By blocking all ICMPs the administrator himself interferes with service on and from his own network.  Unless he also turns off path MTU discovery on his network's servers, he makes his servers unusable by users with reduced-MTU links in their paths.  Because service is affected only in relatively unusual cases, it can be difficult to convince the administrator that a problem exists.  The prevalence of such "unusual" cases is growing rapidly though.

Administrators who want to block all ICMPs should disable path MTU discovery on their computers, especially on their servers. It makes no sense to ask for ICMP notifications and then refuse to accept them.  In addition, doing so opens the server to a special type of distributed denial of service attack based on resource exhaustion from a large number of fully-open connections.

Path MTU discovery can be turned off:


Disabling path MTU on Windows systems requires modifying the Windows Registry.  Microsoft's support website has information and cautions about the Registry.
Recommended to use the Dr. TCP utility for Windows.


Under Linux, with the command
    echo  1  >/proc/sys/net/ipv4/ip_no_pmtu_disc

Under FreeBSD, by using sysctl(8) to zero
    tcp.path_mtu_discovery

On Cisco routers,with the configuration command
    no ip tcp mtu-path discovery

Example Path MTU Discovery Failure Scenario

Joe User has a DSL line.  Like many DSL lines, Joe's line actually comes from a large DSL wholesaler and uses PPPoE (PPP over Ethernet) to create a logical channel between Joe and his favorite ISP.  The DSL line physically connects to a small PPPoE router with a built-in hub, which Joe uses as the basis for his home network.

The MTU on Joe's network is Ethernet's usual 1500 bytes.  The MTU on his DSL line is also 1500 bytes, but PPPoE uses 8 of these bytes for an 8-byte PPPoE header, so the MTU of his PPPoE channel to his ISP is only 1492 bytes.

A computer on Joe's Ethernet doesn't know about the PPPoE channel.  The largest packet it can receive is a 1500-byte Ethernet packet, so when Joe uses his computer to connect to a remote server, his computer tells the server it's ok to send packets up to 1500 bytes.[*]

Establishing connections uses only very small packets, so Joe can connect to the server without any MTU issues, but as soon as Joe asks for enough data to fill a 1500-byte packet, the server sends a 1500-byte packet.  When that packet gets to Joe's ISP, it doesn't fit down the PPPoE channel.  The packet has the DF bit set, telling Joe's ISP to drop the packet and send the server an ICMP saying what packet size will fit.  The ISP sends an ICMP saying the largest size is 1492 bytes.

If the server gets that ICMP, it re-sends the first 1492 bytes as a new packet.  This new packets fits down the PPPoE channel, so Joe's computer gets it and sends back an acknowledgement.  The server continues sending 1492-byte packets until Joe has what he asked for.  In most cases the server will remember the reduced path MTU, typically for ten minutes, and use it for future connections from Joe's computer.

However, if the server does not get that ICMP, things go downhill fast.  The server is expecting an acknowledgement from Joe's computer, but Joe's computer didn't get the packet, so the acknowledgment never comes.  After awhile, the server gives up waiting and sends the same 1500-byte packet again.  Joe's ISP sends back another ICMP.  The server doesn't get it again and tries sending the 1500-byte packet a third time, then a fourth, a fifth, and so on.

Meanwhile Joe's computer can't tell this is happening and is waiting for a response from the server.  Eventually, it gives up and sends the server a connection reset.  It reports a network failure to Joe, who is left wondering what happened.  He may soon discover he can access nearly all other sites, just not the one he wanted.

If the server he's trying to access is a web server, he may get part of the website, such as getting the ads but not the main page content.  This happens because the pages normally displayed for many websites are assembled from data obtained from multiple servers on a variety of networks.  The networks dispensing the ads all support path MTU discovery.

If Joe complains to the server operator, they may tell him the problem has to be his ISP because other users can view their server.  However, Joe's ISP is not doing anything wrong, but the server operator is.  PPPoE and other connections with reduced MTUs are perfectly legitimate and increasingly common. Having a server ask for ICMP notification that it refuses to accept is what's broken behavior.  Some later day, when the server site has gotten enough complaints from people like Joe to believe something is wrong, it may either stop asking for the ICMPs or start accepting the useful ones.  Then Joe will be able to access it.

[*] What Joe's computer actually tells the remote server is that the largest payload it can send in any packet is 1460 bytes, which is the 1500-byte maximum Ethernet packet size minus 40 bytes of overhead.  This maximum payload is called the MSS (Maximum Segment Size).

Workarounds

There is something Joe can do in the meantime.  He can reduce the MTU setting on his computer's Ethernet interface to the PPPoE MTU, 1492 bytes.  Then when his computer first connects to the server, the maximum allowed packet size it gives the server will be 1492 bytes, and the server's packets will fit down the PPPoE channel.
In other words, if he is knowledgeable enough, Joe can overcome the server network misconfiguration by doing manually what is supposed to happen automatically.

If Joe's computer is a Windows system, changing his MTU requires changing a Windows Registry setting.  This is normally something that only experienced Windows-savvy users should attempt.  However, misconfigured servers causing path MTU discovery problems for DSL users has become common enough that there are Windows "tuning" programs available that will do this.

If Joe runs Linux or another UNIX variant, setting the MTU is much easier, using the "ifconfig" command.  However, Linux (and perhaps other UNIX variants) has something even better.  He can reduce the MTU for only his default route out the PPPoE/DSL channel while continuing to use the full 1500-byte MTU for traffic on his own network.

Tunnels and Path MTU Discovery

[**] A tunnel having an MTU of 1500 when it's carried by packets on a link with reduced MTU is possible because PPP is level 2 even though it is encapsulated in level 3 TCP.  PPP fragmenting packets is analogous to ATM shredding of packets and does not violate IP semantics.  PPPoE could do this too, but apparently it does not.  (If you didn't understand this paragraph, don't worry about it.)
No comments:

DDoS

Good article about DDoS.

http://www.linuxsecurity.com/content/view/121960/49/
No comments:

Hardening the TCP/IP stack to SYN attacks

How to detect a SYN attack

It is very simple to detect SYN attacks. The netstat command shows us how many connections are currently in the half-open state. The half-open state is described as SYN_RECEIVED in Windows and as SYN_RECV in Unix systems.

# netstat -n -p TCP tcp        0      0 10.100.0.200:21            237.177.154.8:25882     SYN_RECV    - tcp        0      0 10.100.0.200:21            236.15.133.204:2577     SYN_RECV    - tcp        0      0 10.100.0.200:21            127.160.6.129:51748     SYN_RECV    - tcp        0      0 10.100.0.200:21            230.220.13.25:47393     SYN_RECV    - tcp        0      0 10.100.0.200:21            227.200.204.182:60427   SYN_RECV    - tcp        0      0 10.100.0.200:21            232.115.18.38:278       SYN_RECV    - tcp        0      0 10.100.0.200:21            229.116.95.96:5122      SYN_RECV    - tcp        0      0 10.100.0.200:21            236.219.139.207:49162   SYN_RECV    - tcp        0      0 10.100.0.200:21            238.100.72.228:37899    SYN_RECV    - ...
We can also count how many half-open connections are in the backlog queue at the moment. In the example below, 769 connections (for TELNET) in the SYN RECEIVED state are kept in the backlog queue.

# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l 769
The other method for detecting SYN attacks is to print TCP statistics and look at the TCP parameters which count dropped connection requests. While under attack, the values of these parameters grow rapidly.
In this example we watch the value of the TcpHalfOpenDrop parameter on a Sun Solaris machine.

# netstat -s -P tcp | grep tcpHalfOpenDrop         tcpHalfOpenDrop     =   473
It is important to note that every TCP port has its own backlog queue, but only one variable of the TCP/IP stack controls the size of backlog queues for all ports.

The backlog queue

The backlog queue is a large memory structure used to handle incoming packets with the SYN flag set until the moment the three-way handshake process is completed. An operating system allocates part of the system memory for every incoming connection. We know that every TCP port can handle a defined number of incoming requests. The backlog queue controls how many half-open connections can be handled by the operating system at the same time. When a maximum number of incoming connections is reached, subsequent requests are silently dropped by the operating system.
As mentioned before, when we detect a lot of connections in the SYN RECEIVED state, host is probably under a SYN flooding attack. Moreover, the source IP addresses of these incoming packets can be spoofed. To limit the effects of SYN attacks we should enable some built-in protection mechanisms. Additionally, we can sometimes use techniques such as increasing the backlog queue size and minimizing the total time where a pending connection in kept in allocated memory (in the backlog queue).

Built-in protection mechanisms

Operating system: Windows 2000
The most important parameter in Windows 2000 and also in Windows Server 2003 is SynAttackProtect. Enabling this parameter allows the operating system to handle incoming connections more efficiently. The protection can be set by adding a SynAttackProtect DWORD value to the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
In general, when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP/IP stack. This allows the operating system to handle more SYN requests. It works by disabling some socket options, adding additional delays to connection indications and changing the timeout for connection requests.
When the value of SynAttackProtect is set to 1, the number of retransmissions is reduced and according to the vendor, the creation of a route cache entry is delayed until a connection is made. The recommended value of SynAttackProtect is 2, which additionally delays the indication of a connection to the Windows Socket until the three-way handshake is completed. During an attack, better performance in handling connections is achieved by disabling the use of a few parameters (these parameters are usually used by the system during the process of creating new connections). The TCPInitialRTT parameter, which defines the time of the first retransmission, will no longer work. It's impossible to negotiate the window size value. Also, the scalable windows option is disabled on any socket.
As we can see, by enabling the SynAttackProtect parameter we don't change the TCP/IP stack behavior until under a SYN attack. But even then, when SynAttackProtect starts to operate, the operating system can handle legitimate incoming connections.
The operating system enables protection against SYN attacks automatically when it detects that values of the following three parameters are exceeded. These parameters are TcpMaxHalfOpenTcpMaxHalfOpenRetried and TcpMaxPortsExhausted.
To change the values of these parameters, first we have to add them to the same registry key as we made for SynAttackProtect.
The TcpMaxHalfOpen registry entry defines the maximum number of SYN RECEIVED states which can be handled concurrently before SYN protection starts working. The recommended value of this parameter is 100 for Windows 2000 Server and 500 for Windows 2000 Advanced Server.
TcpMaxHalfOpenRetried defines the maximum number of half-open connections, for which the operating system has performed at least one retransmission, before SYN protection begins to operate. The recommended value is 80 for Windows 2000 Server, and 400 for Advanced Server.
The TcpMaxPortsExhausted registry entry defines the number of dropped SYN requests, after which the protection against SYN attacks starts to operate. Recommended value is 5.
Operating system: Linux RedHat
RedHat, like other Linux operating systems, has implemented a SYN cookies mechanism which can be enabled in the following way:

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Note that to make this change permanent we need to create a startup file that sets this variable. We must do the same operation for other UNIX variables described in this paper because the values for these variables will return to default upon system reboot.
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack). This mechanism allows construction of a packet with the SYN and ACK flags set and which has a specially crafted initial sequence number (ISN), called a cookie. The value of the cookie is not a pseudo-random number generated by the system but instead is the result of a hash function. This hash result is generated from information like: source IP, source port, destination IP, destination port plus some secret values. During a SYN attack the system generates a response by sending back a packet with a cookie, instead of rejecting the connection when the SYN queue is full. When a server receives a packet with the ACK flag set (the last stage of the three-way handshake process) then it verifies the cookie. When its value is correct, it creates the connection, even though there is no corresponding entry in the SYN queue. Then we know that it is a legitimate connection and that the source IP address was not spoofed. It is important to note that the SYN cookie mechanism works by not using the backlog queue at all, so we don't need to change the backlog queue size. More information about SYN cookies can be found athttp://cr.yp.to/syncookies.html.
Also note that the SYN cookies mechanism works only when the CONFIG_SYNCOOKIES option is set during kernel compilation.
The next section will describe other useful methods of protection against SYN attacks. I would like to emphasize that under heavy SYN attacks (like Distributed SYN flooding attack) these methods may help but still not solve the problem.

Increasing the backlog queue

Under a SYN attack, we can modify the backlog queue to support more connections in the half-open state without denying access to legitimate clients. In some operating systems, the value of the backlog queue is very low and vendors often recommend increasing the SYN queue when a system is under attack.
Increasing the backlog queue size requires that a system reserve additional memory resources for incoming requests. If a system has not enough memory for this operation, it will have an impact on system performance. We should also make sure that network applications like Apache or IIS can accept more connections.
Operating system: Windows 2000
Aside from described above TcpMaxHalfOpen and TcpMaxHalfOpenRetried variables, in Windows 2000 the number of connections handled in the half-open state can be set through a dynamic backlog. Configuration of this dynamic backlog is accomplished via the AFD.SYS driver. This kernel-mode driver is used to support Windows Socket applications like FTP and Telnet. To increase the number of half-open connections, AFD.SYS provides four registry entries. All of these values, corresponding to AFD.SYS, are located under the following registry key:

HKLM\System\CurrentControlSet\Services\AFD\Parameters
The EnableDynamicBacklog registry value is a global switch to enable or disable a dynamic backlog. Setting it to 1 enables the dynamic backlog queue.
MinimumDynamicBacklog controls the minimum number of free connections allowed on a single TCP port. If the number of free connections drops below this value, then additional free connections are created automatically. Recommended value is 20.
The MaximumDynamicBacklog registry value defines the sum of active half-open connections and the maximum number of free connections. When this value is exceeded, no more free connections will be created by a system. Microsoft suggests that this value should not exceed 20000.
The last DynamicBacklogGrowthDelta parameter controls the number of free connections to be created when additional connections are necessary. Recommended value: 10.
The table below shows the recommended values for the AFD.SYS driver:

Subkey Registry Value EntryFormatValue
EnableDynamicBacklogDWORD1
MinimumDynamicBacklogDWORD20
MaximumDynamicBacklogDWORD20000
DynamicBacklogGrowthDeltaDWORD10
Operating system: Linux
tcp_max_syn_backlog variable defines how many half-open connections can be kept by the backlog queue. For instance 256 is a total number of half-open connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables can be configured by sysctl or standard Unix commands. The following example shows how to change the default size of the backlog queue by the sysctl command:

# sysctl -w net.ipv4.tcp_max_syn_backlog="2048"
Operating system: Sun Solaris
In Sun Solaris there are two parameters which control the maximum number of connections. The first parameter controls the total number of full connections. The second tcp_conn_req_max_q0 parameter defines how many half-open connections are allowed without the dropping of incoming requests. In Sun Solaris 8, the default value is set to 1024. Using the ndd command we can modify this value.

# ndd -set /dev/tcp tcp_conn_req_max_q0 2048
Operating system: HP-UX
In HP-UX, a tcp_syn_rcvd_max TCP/IP stack variable is responsible for control of the maximum number of half-open connections in the SYN RECEIVE state. In HP-UX 11.00 this value is set to 500. We can change this value by using the ndd command, similar to the one used in a Sun Solaris system.

# ndd -set /dev/tcp tcp_syn_rcvd_max 2048

Decreasing total time of handling connection request

As we know, SYN flooding/spoofing attacks are simply a series of SYN packets, mostly from forged IP addresses. In the last section we tried to increase the backlog queue. Now that our systems can handle more SYN requests, we should decrease the total time we keep half-open connections in the backlog queue. When a server receives a request, it immediately sends a response with the SYN and ACK flags set, puts this half-open connection into the backlog queue, and then waits for a packet with the ACK flag set from the client. When no response is received from the client, the server retransmits a response packet (with the SYN and ACK flags set) several times (depending on default value in each operating system) by giving the client a chance to send the ACK packet again. It is clear that when the source IP address of client was spoofed, the ACK packet will never arrive. After a few minutes the server removes this half-open connection. We can speed up this time of removing connections in the SYN RECEIVED state from the backlog queue by changing time of first retransmission and by changing the total number of retransmissions.
Another technique of protection against SYN attacks is switching off some TCP parameters that are always negotiated during the three-way handshake process. Some of these parameters are automatically turned off by mechanisms described in the first section (SynAttackProtect and Syncookies).
Now, I will describe TCP/IP stack variables which allow a decrease in the time half-open connections are kept in the backlog queue.
Operating system: Windows 2000
In Windows 2000, the default time for a first retransmission is set to 3 seconds (3000 milliseconds) and can be changed by modifying the value of the TcpInitialRtt registry entry (for every interface). For example, to decrease time of a first retransmission to 2 seconds we have to set this registry value to 2000 milliseconds in decimal format. The number of retransmissions (packets with the SYN and ACK flags set) is controlled by a TcpMaxConnectResponseRetransmissions registry parameter which has to be added to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key.
The table below contains a few examples of values and corresponding times for keeping half-open connections in the backlog queue (the time of a first retransmission is set to 3 seconds).

ValueTime of retransmissionTotal time to keep half-open connections in the backlog queue
1in 3rd second9 seconds
2in 3rd and 9th second21 seconds
3in 3rd , 9th and 21st second45 seconds
We can set this registry value to 0, whereby Windows doesn't try to retransmit packets at all. In this case, the system sends only one response and cancels the half-open connection after 3 seconds. This setting is ignored when its value is equal or greater than 2 and when SynAttackProtect is enabled.
Operating system: Linux RedHat
tcp_synack_retries variable is responsible for controlling the number of retransmissions in Linux operating system. Its default value is set to 5 for most Linux operating systems, which causes the half-open connection to be removed after 3 minutes. In the below table there are calculations for other values.

ValueTime of retransmissionTotal time to keep half-open connections in the backlog queue
1in 3rd second9 seconds
2in 3rd and 9th second21 seconds
3in 3rd , 9th and 21st second45 seconds
Operating system: Sun Solaris
In this operating system it is impossible to turn off retransmissions of packets directly using the ndd command. Moreover, in Sun Solaris there are parameters which are non-configurable by ndd and which control the number of retransmissions (at least 3) and total time of packet retransmissions (at least 3 minutes). More information about these parameters can be found in the "Solaris 2.x - Tuning Your TCP/IP stack and More" document.
Operating system: HP-UX
For HP-UX, the time spent handling half-open connections in the backlog queue is controlled by the tcp_ip_abort_cinterval parameter. By using the ndd command we can define how long a HP-UX operating system will be waiting for the ACK packet. We can control how many retransmissions will be performed indirectly by changing this value. Have a look at the table below.

ValueTime of retransmissionTotal time to keep half-open connections in the backlog queue
1000-1 second
5000in 2nd second5 seconds
10000in 2nd and 5th second10 seconds
60000In 2nd, 5th, 11th, 23rd and 47th second1 minute
We can change the time of a first retransmission by modifying tcp_rexmit_interval_initial. Intervals of subsequent retransmissions are controlled by two parameters: tcp_rexmit_interval and tcp_rexmit_interval_min. These three variables are the same as in a Sun Solaris operating system.

Summary

The methods of hardening the TCP/IP stack that are presented in this article make servers more resistant to SYN flooding and SYN spoofing - Denial of Service attacks. A modification of your default TCP/IP stack settings is also recommended during the process of securing of the operating system.



No comments:
Subscribe to: Posts (Atom)