Unix ip Stack adjustment Guide

The purpose of this article is to adjust the unix ip stack to effectively prevent multiple types of attacks today.
Describes the Recommended settings of network services such as HTTP or routing in Some UNIX service systems.
Including the following different UNIX:

A. ibm aix 4.3.X
B. Sun Solaris 7
C. Compaq Tru64 UNIX 5.X
D. HP HP-UX 11.0 (research ongoing)
E. Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat 7.0)
F. FreeBSD
G. IRIX 6.5.10

Some adjustment parameters and syntaxes described below will not be automatically activated after restart, so if you need
If you keep these parameters for a long time at each startup, you need to add these real-time commands to the following startup
File:

AIX-/etc/rc.net
Solaris-/etc/init. d/inetinit
Tru64 UNIX-use sysconfigdb or dxkerneltuner command
HP-UX --/etc/rc. config. d/nddconf
Linux kernel 2.2-/etc/sysctl. conf
FreeBSD-/etc/rc. conf
IRIX-use the fortune command

========================================================== ======================================

The following are some suggestions for adjusting the IP stack:

1. Adjust the TCP sending and receiving spaces (TCP send and receive spaces)

The space sent and received by TCP directly affects the TCP window size parameter (TCP window size parameter ),
To a certain extent, the increase in the window size will facilitate more effective transmission, especially for some
For services such as FTP and HTTP, some default settings are not optimal for every system.
Increase the window size to 32768 bytes. Unless you have a clear understanding of RFC1323 (
Http://www.ietf.org/rfc/rfc1323.txt? Number = 1323) and RFC2018 (http: // www.
Ietf.org/rfc/rfc2018.txt? Number = 2018). Otherwise, do not increase the value to a value greater than 64 KB.

A. AIX
/Usr/sbin/no-o tcp_sendspace = 32768
/Usr/sbin/no-o tcp_recvspace = 32768

B. Solaris
/Usr/sbin/ndd-set/dev/tcp tcp_xmit_hiwat 32768
/Usr/sbin/ndd-set/dev/tcp tcp_recv_hiwat 32768

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
By default, the TCP sending and receiving space is set to 32768.

E. Linux kernel 2.2
Linux automatically allocates TCP sending and receiving spaces and supports RFC1323 by default (large window support,
Net. ipv4.tcp _ window_scaling) and RFC2018 (SACK support, net. ipv4.tcp _ sack ).

F. FreeBSD
Sysctl-w net. inet. tcp. sendspace = 32768
Sysctl-w net. inet. tcp. recvspace = 32768

G. IRIX
By default, the TCP sending and receiving space is set to 64 KB.

2. Adjust the set of interface sequence to prevent SYN Attacks

Generally, one or several ports of various network application software must be opened for external use.
Attackers can initiate Denial-of-service attacks to these ports. One of the most popular attacks is SYN.
FLOOD, when an attack occurs, the client's source IP address is forged (spoofed), the current IP Address
The routing mechanism only checks the destination IP address and forwards the packet. After the packet arrives at the destination host, the returned path cannot be reached.
The target host cannot establish a connection through TCP three-way handshake. During this period
The set of interface cache queues are quickly filled up, and new connection requests are rejected. To prevent these attacks, some UNIX
The variant uses a set of interfaces that separate the inbound traffic to connect to the Request queue. A queue uses a set of interfaces (SYN receiving,
SYN | ACK), and the other queue waits for an accept () call to open the full set of excuses.
Column can mitigate these syn flood attacks and minimize the impact on the server:

A. AIX
/Usr/sbin/no-o clean_partial_conns = 1
This setting indicates that the kernel randomly removes the half-open interface from the q0 queue to add a new interface.
Required space.

B. Solaris
/Usr/sbin/ndd-set/dev/tcp tcp_conn_req_max_q 1024
Enable the q queue to have an interface waiting for the accept () call from the application.
/Usr/sbin/ndd-set/dev/tcp tcp_conn_req_max_q0 2048
Enable the q0 queue to maintain a half-open interface.

C. Tru64 UNIX
/Sbin/sysconfig-r socket sominconn = 65535
The sominconn value determines how many identical SYN packets can be processed simultaneously.
/Sbin/sysconfig-r socket somaxconn = 65535
The somaxconn value sets the number of TCP connections to be retained by the system.

D. HP-UX
/Usr/sbin/ndd-set tcp_syn_rcvd_max 1024
/Usr/sbin/ndd-set tcp_conn_request_max 200

E. Linux kernel 2.2
/Sbin/sysctl-w net. ipv4.tcp _ max_syn_backlog = 1280
Effectively increase the size of the Set interface queue for q0.
/Sbin/sysctl-w net. ipv4.tcp _ syn_cookies = 1
Enabling tcp syn cookies can effectively reduce syn flood attacks. However
Large windows cause some performance problems (see RFC1323 and RFC2018.

F. FreeBSD
Sysctl-w kern. ipc. somaxconn = 1024

G. IRIX
The listen () queue is hard set to 32, but the number of connections to be processed is (3 * backlog)/2) + 1,
The maximum value of backlog is 49.

3. Adjust Redirects parameters.

Malicious users can use IP redirection to modify the route table in the remote host. In a well-designed network,
The redirection settings at the end are not required, and the sending and receiving of the redirection information package must be disabled.

A. AIX
/Usr/sbin/no-o ipignoreredirects = 1
/Usr/sbin/no-o ipsendredirects = 0

B. Solaris
/Usr/sbin/ndd-set/dev/ip ip_ignore_redirect 1
/Usr/sbin/ndd-set/dev/ip ip_send_redirects 0

C. Tru64 UNIX
No recommended adjustment settings.

D. HP-UX
/Usr/sbin/ndd-set/dev/ip ip_send_redirects 0

E. Linux kernel 2.2
/Sbin/sysctl-w net. ipv4.conf. all. send_redirects = 0
/Sbin/sysctl-w net. ipv4.conf. all. accept_redirects = 0

F. FreeBSD
Sysctl-w net. inet. icmp. drop_redirect = 1
Sysctl-w net. inet. icmp. log_redirect = 1
Sysctl-w net. inet. ip. redirect = 0
Sysctl-w net. inet6.ip6. redirect = 0

G. IRIX
/Usr/sbin/systune icmp_dropredirects to 1

4. Adjust ARP cleaning settings

By buffering IP addresses with forged ARP entries, malicious users can consume resources and reduce performance.
Attack. In Solaris, there are two parameters that can manage the interval to clean up IP Route buffering, for unrequested
ARP response can be adjusted through arp_cleanup_interval, And AIX can be set through artp_killc.

A. AIX
/Usr/sbin/no-o arpt_killc = 20
B. Solaris
/Usr/sbin/ndd-set/dev/arp arp_cleanup_interval 60000
C. Tru64 UNIX
No reference settings.
D. HP-UX
The default value is 5 minutes.
E. Linux kernel 2.2
No reference settings.
F. FreeBSD
Sysctl-w net. link. ether. inet. max_age = 1200
G. IRIX
No reference settings.

5. Adjust the source route settings

Through source routing, attackers can try to reach the internal IP address, including the address in RFC1918, so
The source route information package is not accepted to prevent your internal network from being detected.

A. AIX
/Usr/sbin/no-o ipsrcroutesend = 0
Disable source route information package sending.

/Usr/sbin/no-o ipsrcrouteforward = 0
This parameter is very important if your system is going to do routing like a firewall.
It can prevent route information packets from source conversion.

B. Solaris
/Usr/sbin/ndd-set/dev/ip ip_src_route_forward 0
This parameter is very important if your system is going to do routing like a firewall.
It can prevent route information packets from source conversion.

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
Ndd-set/dev/ip ip_forward_src_routed 0
Disabling this feature can effectively prevent the conversion from source routing information packets.

E. Linux kernel 2.2
/Sbin/sysctl-w net. ipv4.conf. all. accept_source_route = 0
Discard all source address packages.
/Sbin/sysctl-w net. ipv4.conf. all. forwarding = 0
/Sbin/sysctl-w net. ipv4.conf. all. mc_forwarding = 0
Route frame without conversion source.

F. FreeBSD
Sysctl-w net. inet. ip. sourceroute = 0
Sysctl-w net. inet. ip. accept_sourceroute = 0

G. IRIX
/Usr/sbin/systune ipforward to 2

6. Adjust TIME_WAIT setting settings

On some busy WEB servers, many interfaces may be in the TIME_WAIT status.
This error is caused by the fact that some client applications with irregular encoding do not properly process the set of interfaces.
It may cause DDOS attacks.

A. AIX
No Recommended settings.

B. Solaris
/Usr/sbin/ndd-set/dev/tcp tcp_time_wait_interval 60000

This parameter affects the number of times the TCP interface maintains the TIME_WAIT status. By default
The busy WEB server is too high, so it must be set to lower than every 60 seconds. This parameter name applies
The name of Solaris7 or later versions earlier than Solaris 7 is incorrect.
Tcp_close_wait_interval.

C. Tru64 UNIX
No recommended adjustment settings.

D. HP-UX
Ndd-set/dev/tcp tcp_time_wait_interval 60000
The set of interfaces will remain in the TIME_WAIT status for no more than 60 seconds.

E. Linux kernel 2.2
/Sbin/sysctl-w net. ipv4.vs. timeout_timewait = 60
The set of interfaces will remain in the TIME_WAIT status for no more than 60 seconds.

F. FreeBSD
No recommended adjustment settings.

G. IRIX
/Usr/sbin/une tcp_2msl to 60

7. Adjust the broadcast ECHO response

The Smurf attack is a counterfeit address that sends ICMP 8 0 (echo request) information to a wide range
Play address. Some IP stack will respond to this information by default, so this feature must be disabled. If
This host is used as a firewall. If this feature is disabled, it cannot process broadcasts.

A. AIX
/Usr/sbin/no-o directed_broadcast = 0
Direct Broadcast is not responded.

B. Solaris
/Usr/sbin/ndd-set/dev/ip ip_respond_to_echo_broadcast 0
Direct Broadcast is not responded.
/Usr/sbin/ndd-set/dev/ip ip_forward_directed_broadcasts 0
Direct Broadcast is not forwarded.

C. Tru64 UNIX
No adjustment settings are recommended.

D. HP-UX
Ndd-set/dev/ip ip_respond_to_echo_broadcast 0
Direct Broadcast is not responded.
Ndd-set/dev/ip ip_forward_directed_broadcasts 0
Direct Broadcast is not forwarded.

E. Linux kernel 2.2
/Sbin/sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
Direct Broadcast is not responded.

F. FreeBSD
Sysctl-w net. inet. icmp. bmcastecho = 0

G. IRIX
/Usr/sbin/systune allow_brdaddr_srcaddr to 0

8. Adjustments to other broadcast probes

The other two Broadcast probes can be used by malicious users. One is the address mask query, which can be used for detection.
The size and range of the network segment. Timestamp broadcast can map and authenticate host types.

A. AIX
/Usr/sbin/no-o icmpaddressmask = 0
Prevent address masking queries.

B. Solaris
/Usr/sbin/ndd-set/dev/ip ip_respond_to_address_mask_broadcast 0
Prevent address masking queries.

/Usr/sbin/ndd-set/dev/ip ip_respond_to_timestamp_broadcast 0
Disable the response to the time stamp broadcast query.

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
Ndd-set/dev/ip ip_respond_to_address_mask_broadcast 0
Prevents leakage of the network mask configured by the host.

Ndd-set/dev/ip ip_respond_to_timestamp_broadcast 0
Disable the response to the time stamp broadcast query.

E. Linux kernel 2.2
No recommended adjustments.

F. FreeBSD
Sysctl-w net. inet. icmp. maskrepl = 0

G. IRIX
Use ipfilterd to block unwanted ICMP types.

9. Adjust parameters to support RFC1948

Which of the following adjustments will take advantage of RFC1948 (http://www.ietf.org/rfc/rfc1948.txt? Number = 1948)
TCP/IP serial number generation technology to ensure that the serial number for a TCP set of interfaces is difficult to guess:

B. Solaris
Set TCP_STRONG_ISS = 2 in/etc/default/inetinit.
This requires a restart to enable.

G. IRIX
/Usr/sbin/une tcpiss_md5 to 1
(Source: viphot)