UNIX IP Stack Tuning Guide v2.7
[ Articles ]
[ Documents ]
[ Home ]
Introduction
The purpose of this document is to strengthen the UNIX IP stack
against a variety of attack types prevalent on the Internet today.
This document details the settings recommended for UNIX servers
designed to provide network intensive services such as HTTP or
routing (firewall services). This document covers the following
UNIX variants:
- A. IBM AIX 4.3.X
- B. Sun Solaris 7
- C. Compaq Tru64 UNIX 5.X
- D. HP HP-UX 11.0 (research ongoing)
- E. Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat
7.0)
- F. FreeBSD
- G. IRIX 6.5.10
Windows NT/2000 will be covered in future releases.
The tuning changes noted below will not remain across reboots.
Thus, these changes should be added to a runtime commands file
so that the changes are enacted at each boot.
- AIX - /etc/rc.net
- Solaris - /etc/init.d/inetinit
- Tru64 UNIX - Use the sysconfigdb or dxkerneltuner
command
- HP-UX - /etc/rc.config.d/nddconf
- Linux kernel 2.2 - /etc/sysctl.conf
- FreeBSD - /etc/rc.conf
- IRIX - Use the systune command
No tuning steps should be undertaken without a keen insight
into the purpose and effect of such steps. It is assumed that
the personnel who undertake such tuning are well versed in the
UNIX kernel with bit-level understanding of TCP/IP and the RFCs
that govern IP behavior.
Revision History
Version 1.0 - Created the AIX IP stack tuning guide
Version 2.0 - Added Solaris and additional AIX tuning tips, reformated
doc
Version 2.2 - Added ARP tuning tips
Version 2.3 - Added Compaq Tru64 UNIX SYN defense tips
Version 2.4 - Added HP HP-UX 11.0 tuning tips
Version 2.5 - Added Linux and FreeBSD tuning tips
Version 2.6 - Added IRIX 6.5.10 and additional FreeBSD tuning
tips
Version 2.7 - Added additional HP-UX 11.0 tuning tips
Credits
This has become a global effort, and this document is made
more rich and valuable thanks to the input of several very helpful
folks! Kudos and lauds for the folks below:
Thanks to the Compaq Software Security Response Team for the
Tru64 UNIX SYN flood defense pointers.
For HP-UX 11.0, thanks to Tom Harrold for running ndd over
and over at my every request. :-)
Thanks to Klaus Moeller for a copious collection of Linux tuning
tips.
Thanks to Andrew Korty for the FreeBSD tuning tips.
Thanks to Christian Lambert and Alex Icasiano of SGI for the
IRIX tuning tips.
Thanks to Neil Long for the Solaris source route forwarding
correction.
Thanks, as always, to the FIRST
community for support, questions, and feedback.
General IP Stack Tuning Recommendations
1. TCP send and receive spaces
The TCP send and receive spaces directly effect the TCP window
size parameter. An increased window size will allow for more efficient
transfers, particularly bulk transfers such as FTP and HTTP. The
default for each is not optimal, and should be increased to 32768
bytes. This value should not be increased above 64K bytes unless
the implications of RFC1323
and RFC2018
are fully understood and support for both is enabled.
Do not enable RFC1323 without also enabling support for RFC2018.
Remember, pipe drain is a Bad Thing[tm].
- A. AIX
- /usr/sbin/no -o tcp_sendspace=32768
- /usr/sbin/no -o tcp_recvspace=32768
- B. Solaris
- /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
- /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- The TCP send and receive spaces are set to 32768 by default
- E. Linux kernel 2.2
- While Linux automagically assigns the TCP send and receive
spaces, support for both RFC1323 (large window support, net.ipv4.tcp_window_scaling)
and RFC2018 (SACK support, net.ipv4.tcp_sack) are enabled by
default.
- F. FreeBSD
- sysctl -w net.inet.tcp.sendspace=32768
- sysctl -w net.inet.tcp.recvspace=32768
- G. IRIX
- The default settings for IRIX are 64Kbytes for both the TCP
send and receive spaces.
2. Socket queue defense against SYN attacks
While great effort is undertaken to defend any network from
those with malicious intent, several ports (largely TCP) must
remain open to conduct business. Internet vandals may attempt
to exploit these ports to launch a denial of service attack. One
of the most popular attacks remains the SYN flood, wherein the
socket queue of the attacked host is overwhelmed with bogus connection
requests. To defend against such attacks, certain UNIX variants
maintain separate queues for inbound socket connection requests.
One queue is for half-open sockets (SYN received, SYN|ACK sent),
the other queue for fully-open sockets awaiting an accept()
call from the application. These two queues should be increased
so that an attack of low to moderate intensity will have little
to no effect on the stability or availability of the server.
- A. AIX
- /usr/sbin/no -o clean_partial_conns=1
- This setting will instruct the kernel to randomly remove
half-open sockets from the q0 queue to make room for new sockets.
- B. Solaris
- /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
- The q queue holds sockets awaiting an accept()
call from the application.
- /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048
- The q0 queue contains half-open sockets.
- C. Tru64 UNIX
- /sbin/sysconfig -r socket sominconn=65535
- The value of sominconn determines how many simultaneous incoming
SYN packets can be handled by the system.
- /sbin/sysconfig -r socket somaxconn=65535
- The value of somaxconn sets the maximum number of pending
TCP connections.
- D. HP-UX
- /usr/sbin/ndd -set tcp_syn_rcvd_max 1024
- /usr/sbin/ndd -set tcp_conn_request_max 200
- E. Linux kernel 2.2
- /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
- Increases the size of the socket queue (effectively, q0).
- /sbin/sysctl -w net.ipv4.tcpsyn_cookies=1
- Enables support for TCP SYN cookies, which mitigates the
effectiveness of SYN floods. However, this may cause performance
problems for large windows (see RFC1323 and RFC2018). To read
more about SYN cookies, please review DJ Bernstein's paper here.
- F. FreeBSD
- sysctl -w kern.ipc.somaxconn=1024
- G. IRIX
- The listen() queue is hardcoded to 32. However, the
system actually enforces the limit of pending connections as
((3 * backlog) / 2) + 1. This yields a maximum backlog of 49
connections.
3. Redirects
A miscreant can use IP redirects to modify the routing table
on a remote host. In a well-designed network, redirects to the
end stations should not be required. Both the sending and accepting
of redirects should be disabled.
- A. AIX
- /usr/sbin/no -o ipignoreredirects=1
- /usr/sbin/no -o ipsendredirects=0
- B. Solaris
- /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
- /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
- E. Linux kernel 2.2
- /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
- /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
- F. FreeBSD
- sysctl -w net.inet.icmp.drop_redirect=1
- sysctl -w net.inet.icmp.log_redirect=1
- sysctl -w net.inet.ip.redirect=0
- sysctl -w net.inet6.ip6.redirect=0
- G. IRIX
- /usr/sbin/systune icmp_dropredirects to 1
4. ARP cleanup
It is possible for a miscreant to create a resource exhaustion
or performance degredation by filling the IP route cache with
bogus ARP entries. In Solaris, there are two parameters that govern
the cleanup interval for the IP route cache. For unsolicited ARP
responses, the parameter to be tuned is arp_cleanup_interval.
In AIX, the cleanup interval is governed by the value of arpt_killc.
However, this parameter governs both solicited and unsolicited
ARP entries. For this reason, it is likely best to leave the parameter
at the default setting of 20 minutes.
- A. AIX
- /usr/sbin/no -o arpt_killc=20
- B. Solaris
- /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- By default set to five minutes.
- E. Linux kernel 2.2
- No tuning recommendations.
- F. FreeBSD
- sysctl -w net.link.ether.inet.max_age=1200
- G. IRIX
- No tuning recommendations.
5. Source routing
With source routing, an attacker can attempt to reach internal
IP addresses - including RFC1918 addresses. It is important to
disable the acceptance of source routed packets to prevent subtle
probes of your internal networks.
- A. AIX
- /usr/sbin/no -o ipsrcroutesend=0
- Disable the sending of source routed packets.
- /usr/sbin/no -o ipsrcrouteforward=0
- This is important if the box is routing, e.g. a firewall.
Disable this feature to prevent the host from forwarding source
routed packets.
- B. Solaris
- /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
- This is important if the box is routing, e.g. a firewall.
Disable this feature to prevent the host from forwarding source
routed packets.
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- ndd -set /dev/ip ip_forward_src_routed 0
- Disable this feature to prevent the host from forwarding
source routed packets.
- E. Linux kernel 2.2
- /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
- Drop all source route packets.
- /sbin/sysctl -w net.ipv4.conf.all.forwarding=0
- /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
- Do not forward source routed frames.
- F. FreeBSD
- sysctl -w net.inet.ip.sourceroute=0
- sysctl -w net.inet.ip.accept_sourceroute=0
- G. IRIX
- /usr/sbin/systune ipforward to 2
6. TIME_WAIT setting
On a busy web server, many sockets may linger in the TIME_WAIT
state. This is caused by improperly coded client applications
that do not properly shut down a socket. This can also be used
as a type of DDoS attack.
- A. AIX
- No tuning recommendations.
- B. Solaris
- /usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
- This parameter effects the amount of time a TCP socket will
remain in the TIME_WAIT state. The default is quite high for
a busy web server, so it should be lowered to 60000 milliseconds
(60 seconds). The parameter name was corrected in Solaris 7 and
higher. Prior to Solaris 7, the parameter was incorrectly labeled
as tcp_close_wait_interval.
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- ndd -set /dev/tcp tcp_time_wait_interval 60000
- Sockets will linger in TIME_WAIT state no more than 60 seconds.
- E. Linux kernel 2.2
- /sbin/sysctl -w net.ipv4.vs.timeout_timewait=60
- Sockets will linger in TIME_WAIT state for no more than 60
seconds.
- F. FreeBSD
- No tuning recommendations.
- G. IRIX
- /usr/sbin/systune tcp_2msl to 60
7. Broadcast ECHO response
Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages
to a broadcast address from a spoofed address. Some IP stacks
will respond, by default, to such messages. This should be disabled.
Further, if the host is a firewall (router), it should not propogate
directed broadcasts.
- A. AIX
- /usr/sbin/no -o directed_broadcast=0
- Do not respond to directed broadcasts.
- B. Solaris
- /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast
0
- Do not respond to directed broadcasts.
- /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts
0
- Do not forward directed broadcasts.
- C. Tru64 UNIX
- No tuning recommendations.
- D. HP-UX
- ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- Do not respond to directed broadcasts.
- ndd -set /dev/ip ip_forward_directed_broadcasts 0
- Do not forward directed broadcasts.
- E. Linux kernel 2.2
- /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
- Do not respond to directed broadcasts.
- F. FreeBSD
- sysctl -w net.inet.icmp.bmcastecho=0
- G. IRIX
- /usr/sbin/systune allow_brdaddr_srcaddr to 0
8. Other broadcast probes
There are two other broadcast probes that a miscreant could
utilize against a network. The address mask query can be used
to map out the size of the netblock, and set a range for further
probes. The timestamp broadcast is another means of mapping and
fingerprinting hosts.
- A. AIX
- /usr/sbin/no -o icmpaddressmask=0
- Prevent address mask queries.
- B. Solaris
- /usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast
0
- Prevent address mask queries.
- /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast
0
- Disable timestamp broadcast query response.
- C. Tru64 UNIX
- No tuning recomendations.
- D. HP-UX
- ndd -set /dev/ip ip_respond_to_address_mask_broadcast
0
- Prevent the host from revealing the configured netmask.
- ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
- Disable timestamp broadcast query response.
- E. Linux kernel 2.2
- No tuning recommendations.
- F. FreeBSD
- sysctl -w net.inet.icmp.maskrepl=0
- G. IRIX
- Use ipfilterd to block unwanted ICMP types.
9. Support for RFC1948
This will utilize RFC1948
sequence number generation techniques to ensure that the sequence
number for a given TCP socket is very difficult to guess. This
tactic prevents TCP session hijacking, which could be quite an
issue with e-commerce.
- B. Solaris
- Set TCP_STRONG_ISS=2 in /etc/default/inetinit.
- This will require a reboot to take effect.
- G. IRIX
- /usr/sbin/systune tcpiss_md5 to 1
[ Articles ]
[ Documents ]
[ Home ]
Rob Thomas, robt@cymru.com,
http://www.cymru.com/~robt