Sol-2.6 ndd params in S69inet
Original Question:
Back when I was building firewalls on 2.5 I used to modify
the /etc/rc2.d/S69inet file with directives from a Sun security
bulletin to prevent SYN-flood attacks. They are:
ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
echo "tcp_param_arr+14/W 0t10240" | /bin/adb -kw /dev/ksyms /dev/mem
ndd -set /dev/tcp tcp_conn_req_max 8192
ndd -set /dev/tcp tcp_close_wait_interval 30000
echo "Kernel TCP syn/ack params adjusted"
In poking around a 2.6 system I noticed that
tcp_conn_req_max has been replaced by tcp_conn_req_max_q
and tcp_conn_req_max_q0. Also, I could not get a value out of adb
or crash for the tcp_param_arr+14 that made sense.
Looking at the values on stock 2.5.1 and 2.6 machines for
tcp_ip_abort_cinterval and tcp_close_wait_interval I think that I
do want to change them to the new values, but hot-patching the
kernel during the boot process to change the table entry for number
of connections allowed so that the ndd to set tcp_conn_req_max_?
will work is a bit confusing and certainly something not to be
undertaken without full knowledge of what you are doing...
So, can somebody out there who really knows the guts of 2.6
tell me what the offset in the tcp_param_arr is for that
entry and what the meaning of the 2 new tcp_conn_req_max_? params
is...the second one seems to be about 10 times larger than the
first (1024/128).
Thanx:
Eddy Fafard <eddy@slimepuppy.apple.com>
Casper Dik <casper@holland.Sun.COM>
*** Full responses below ***
Solution:
Given the great wealth of information on the page (and linked
pages) that Eddy pointed me to, and Casper's warnings and advice, I am
very carefully going to shorten up some of the interval timers to close
wait state sessions a little faster (after all, It only takes a couple
of seconds to round trip a packet to the moon), and I will increase the
queue sizes on the firewalls for proxy performance and on the DMZ
servers for web request processing....
Regards,
b c++'ing u,
%-) sjs
PS: I am my own employer, therefore: "all opinions are twice spoken for;"
and they do, in fact, scare the hell out of said employer!!!
-------------------------------------------------------------------------------
Stefan Jon Silverman - President SJS Associates, N.A., Inc.
Suite 15-B
Distributed Systems 698 West End Avenue
Architecture, Implementation & Security New York, New York 10025
Phone: 212 662 9450
E-mail: sjs@sjsinc.com Fax: 212 662 9461
Text-Page:sjs-page@sjsinc.com Cell: 917 929 1668
-------------------------------------------------------------------------------
Weebles wobble, but they don't fall down!!!
-------------------------------------------------------------------------------
----- Begin Included Message -----
From: Eddy Fafard <eddy@slimepuppy.apple.com>
Here is a web page that explains all the 2.6 tunables
Eddy
http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html
\|||/
(o o)
#######################ooO-(.)-Ooo########################
# Ed Fafard #
# Apple Computer #
# 408-974-4747 Phone #
# 408-862-7210 Fax #
# .oooO #
# ( ) Oooo. #
######################\ (####( )########################
\_) ) /
(_/
IF IT'S CALLED THE TOURIST SEASON, WHY CAN'T WE SHOOT THEM?
24 hours in a day, 24 beers in a case - coincidence? ... I think not !
"I'm as confused as a baby in a topless bar!"
----- End Included Message -----
----- Begin Included Message -----
From: Casper Dik <casper@holland.Sun.COM>
>Folks:
>
> Back when I was building firewalls on 2.5 I used to modify
>the /etc/rc2.d/S69inet file with directives from a Sun security
>bulletin to prevent SYN-flood attacks. They are:
>
>ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
>echo "tcp_param_arr+14/W 0t10240" | /bin/adb -kw /dev/ksyms /dev/mem
>ndd -set /dev/tcp tcp_conn_req_max 8192
>ndd -set /dev/tcp tcp_close_wait_interval 30000
>echo "Kernel TCP syn/ack params adjusted"
>
Well, the adb command should be used with *extreme* caution. The param
array is reconfigured often and it should only be used on the exact
patchlevel it was written for.
The instructions are *only* for 2.5, not for later OS releases.
2.6 and 2.5.1 (+patches) address SYN flooding without any need to
tune anything.
> In poking around a 2.6 system I noticed that tcp_conn_req_max
>has been replaced by tcp_conn_req_max_q and tcp_conn_req_max_q0. Also,
>I could not get a value out of adb or crash for the tcp_param_arr+14
>that made sense.
No, probably because that is a whole different value now.
> Looking at the values on stock 2.5.1 and 2.6 machines for
>tcp_ip_abort_cinterval and tcp_close_wait_interval I think that I do
>want to change them to the new values, but hot-patching the kernel
>during the boot process to change the table entry for number of
>connections allowed so that the ndd to set tcp_conn_req_max_? will work
>is a bit confusing and certainly something not to be undertaken without
>full knowledge of what you are doing...
You shouldn't need to do that.
The precise reason it was split in to queues was SYN flood prevention;
there are now two queues: one with half-open connections (SYN_RCVD/q0) and
one with established connections (_q). When SYN flooding is in progress,
q0 will overflow; then SYN flooding protection starts to work and
connections are tossed from q0.
> So, can somebody out there who really knows the guts of 2.6 tell
>me what the offset in the tcp_param_arr is for that entry and what the
>meaning of the 2 new tcp_conn_req_max_? params is...the second one
>seems to be about 10 times larger than the first (1024/128).
The only reason to do teh "adb thing" in 2.5 was to later set
tcp_conn_req_max to a higher value than allowed by default; this is
no longer necessary in 2.6.
You can use ndd to change the queue values, but you don't need to do
so, unles you run *very* busy servers.
For SYN flood protection, no changes are needed.
Casper
----- End Included Message -----
