Tuning Digital UNIX against 
TCP SYN Flooding and IP Spoofing Attacks

     Patches are currently available for Digital UNIX which allow the system administrator
     to avoid or reduce the negative impacts of a TCP SYN attack. The tunable parameters
     needed to survive these attacks are present in the recently announced Digital UNIX
     V4.0A release, as well as the previously shipping Digital UNIX V3.2G and Digital
     UNIX V4.0 releases. 

     Connect to the section titled UNIX Version and Patch Recommendations in the
     document, DIGITAL UNIX Tuning Parameters for Web Servers, for information on
     how to obtain patches and on the patches appropriate for each DIGITAL UNIX
     version. 

     The CERT advisory contains the full details of the attack, reference the advisory for
     additional information: 

          CERT(sm) Advisory CA-96.21
          Topic: TCP SYN Flooding and IP Spoofing Attacks 
          Original issue date: September 19, 1996 
          ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding 
          http://www.cert.org/ 

     Briefly, the Digital UNIX operating system can be further hardened against attacks of
     this nature through the use of two separate kernel tunable parameters. First, the listen
     queue size (sominconn) controls how many TCP SYN packets can be simultaneously
     handled before additional requests are discarded. Secondly, a timer (tcp_keepinit)
     controls how long these partial connections remain in the listen queue. 

     The default listen queue length for Digital UNIX is 1024, while the timeout default value
     is 75 secs. 

     Digital recommends the listen queue (sominconn) be increased to 32767, its maximum
     value. Warning: do NOT set sominconn (or somaxconn) above 32767, this is the
     maximum value allowed. Additionally, the partial connection listen queue timeout value
     (tcp_keepinit) should be reduced from the default of 150 (75 seconds) to a value of 30
     (15 seconds). 

     An example of patching the kernel is shown below: 

                  $ su
                  Password:
                  # dbx -k /vmunix
                  ...
                  dbx> assign sominconn=32767
                  dbx> patch sominconn=32767
                  dbx> assign tcp_keepinit=30
                  dbx> patch tcp_keepinit=30
                  dbx> quit
                  #

     Note: the dbx "assign" command changes the in-memory running kernel image, while
     the "patch" command changes the on-disk /vmunix image. Use assign for an immediate
     change, and patch for long term changes which hold their value over one or more
     reboots. Be aware that if a kernel is re-built for any reason, that the new /vmunix image
     will need to be patched accordingly.