UNIX IP Stack tuning guide _unix Linux

The purpose of this article is to adjust the UNIX IP stack to more effectively prevent multiple types of attacks today, detailing
Describes some of the recommended settings for network services such as HTTP or Routing in UNIX Service systems, where the system
This includes the following different UNIX:

A. IBM AIX 4.3.X
B. Sun Solaris 7
C. Compaq Tru64 UNIX 5.X
D. HP-UX 11.0 (ongoing)
E. Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat 7.0)
F. FreeBSD
G. IRIX 6.5.10

Some of the tuning parameters and syntax described below will not automatically activate after reboot, so if you need
Keep these parameters for a long time at each startup and you'll need to add these real-time commands to the following startup
In the file:

AIX-/etc/rc.net
Solaris-/etc/init.d/inetinit
Tru64 UNIX-use sysconfigdb or Dxkerneltuner command
HP-UX-/etc/rc.config.d/nddconf
Linux Kernel 2.2-/etc/sysctl.conf
FreeBSD-/etc/rc.conf
IRIX-Using the Systune command

====================================================================

Here are some of the IP stack tuning recommendations:

1, adjust TCP send and receive space (TCP sent and receive spaces)

The space that TCP sends and accepts directly affects the TCP window size parameter (TCP windows sizes parameter).
A certain degree of increase in window size helps to facilitate more efficient transmission, especially in the case of a large number of
Services such as FTP and HTTP, some of the default settings are not every system is optimized, generally we need
Increase this window size to 32768 bytes. Unless you're setting up a very clear understanding of RFC1323 (
http://www.ietf.org/rfc/rfc1323.txt?number=1323) and RFC2018 (http://www.
ietf.org/rfc/rfc2018.txt?number=2018), or you should not increase this value to more than 64K bytes.

A. AIX
/usr/sbin/no-o tcp_sendspace=32768
/usr/sbin/no-o tcp_recvspace=32768

B. Solaris
/usr/sbin/ndd-set/dev/tcp Tcp_xmit_hiwat 32768
/usr/sbin/ndd-set/dev/tcp Tcp_recv_hiwat 32768

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
TCP send and accept space is already set to 32768 by default.

E. Linux Kernel 2.2
Linux automatically assigns TCP send and receive space and defaults to support RFC1323 (large window support,
net.ipv4.tcp_window_scaling) and RFC2018 (SACK support, Net.ipv4.tcp_sack).

F. FreeBSD
Sysctl-w net.inet.tcp.sendspace=32768
Sysctl-w net.inet.tcp.recvspace=32768

G. IRIX
TCP send and accept space is set to 64K bytes by default.

2, adjust the set of interface sequence to prevent SYN attack

Each kind of network application software must open one or several end statements outside use generally, so it can certainly
A malicious attacker would launch a denial-of-service attack on these ports, and one popular attack was SYN
FLOOD, at the time of the attack, the client's source IP address was forged (spoofed), and the current IP
The routing mechanism checks only the destination IP address and forwards, and the IP packet reaches the destination host and returns the path.
By passing by, the destination host cannot establish a connection through TCP three-time handshake. During this period because of TCP
The set of interface cache queues are quickly filled, rejecting new connection requests. To prevent these attacks, some Unix
The variant uses a separate inbound socket to connect the request queue, one queue for the Half-open socket interface (SYN receive,
syn| ACK send), another queue for all open sets of excuses waiting for a accept () call, increase both teams
Columns can be a good way to mitigate these SYN flood attacks and minimize the impact on the server:

A. AIX
/usr/sbin/no-o Clean_partial_conns=1
This setting instructs the kernel to randomly remove the half-open socket from the q0 queue to add to the new socket interface
The space required.

B. Solaris
/USR/SBIN/NDD-SET/DEV/TCP tcp_conn_req_max_q 1024
Make the Q queue have interfaces waiting for accept () calls from the application.
/USR/SBIN/NDD-SET/DEV/TCP tcp_conn_req_max_q0 2048
Enables the q0 queue to maintain a Half-open socket interface.

C. Tru64 UNIX
/sbin/sysconfig-r Socket sominconn=65535
The value of this sominconn determines how many identical incoming SYN packets the system can process at the same time.
/sbin/sysconfig-r Socket somaxconn=65535
This somaxconn value sets how many TCP connections the system can retain.

D. HP-UX
/usr/sbin/ndd-set Tcp_syn_rcvd_max 1024
/usr/sbin/ndd-set Tcp_conn_request_max 200

E. Linux Kernel 2.2
/sbin/sysctl-w net.ipv4.tcp_max_syn_backlog=1280
Effectively increase the Q0 socket queue size.
/sbin/sysctl-w Net.ipv4.tcp_syn_cookies=1
Enabling TCP syn-cookie support can effectively mitigate SYN flood attacks, but this parameter will be useful for some
Large windows cause some performance problems (see RFC1323 and RFC2018).

F. FreeBSD
Sysctl-w kern.ipc.somaxconn=1024

G. IRIX
The Listen () queue is rigidly set to 32. But the system actually uses the number of connections to be processed ((3 * backlog)/2) + 1,
The maximum value of backlog values is 49.

3, adjust the redirects parameter

A malicious user can use IP redirection to modify a routing table in a remote host, and in a well-designed network,
The redirection settings at the end are not required and both the send and receive redirection packets are closed.

A. AIX
/usr/sbin/no-o Ipignoreredirects=1
/usr/sbin/no-o ipsendredirects=0

B. Solaris
/USR/SBIN/NDD-SET/DEV/IP Ip_ignore_redirect 1
/USR/SBIN/NDD-SET/DEV/IP ip_send_redirects 0

C. Tru64 UNIX
No recommended adjustment settings.

D. HP-UX
/USR/SBIN/NDD-SET/DEV/IP ip_send_redirects 0

E. Linux Kernel 2.2
/sbin/sysctl-w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl-w net.ipv4.conf.all.accept_redirects=0

F. FreeBSD
Sysctl-w net.inet.icmp.drop_redirect=1
Sysctl-w net.inet.icmp.log_redirect=1
Sysctl-w net.inet.ip.redirect=0
Sysctl-w net.inet6.ip6.redirect=0

G. IRIX
/usr/sbin/systune icmp_dropredirects to 1

4, adjust ARP cleanup settings

Populating spoofed ARP entries with IP routing buffering can cause resource depletion and performance reduction for malicious users
Attack. In Solaris, 2 parameters can manage interval cleanup IP route buffering against unsolicited
ARP responses can be adjusted by Arp_cleanup_interval, and Aix can be set by ARTP_KILLC.



A. AIX
/usr/sbin/no-o arpt_killc=20
B. Solaris
/usr/sbin/ndd-set/dev/arp Arp_cleanup_interval 60000
C. Tru64 UNIX
No adjustment settings for reference.
D. HP-UX
The default setting is 5 minutes.
E. Linux Kernel 2.2
No adjustment settings for reference.
F. FreeBSD
Sysctl-w net.link.ether.inet.max_age=1200
G. IRIX
No adjustment settings for reference.

5, adjust the settings of source routing

With source routing, an attacker could attempt to reach an internal IP address, including an address in RFC1918, so
Not accepting source routing packets can prevent your internal network from being probed.

A. AIX
/usr/sbin/no-o ipsrcroutesend=0
Turn off source routing packet forwarding.

/usr/sbin/no-o ipsrcrouteforward=0
This parameter is important if your system is going to do routing work like a firewall, and closing this feature
It is good to prevent forwarding of source routing packets.

B. Solaris
/USR/SBIN/NDD-SET/DEV/IP Ip_src_route_forward 0
This parameter is important if your system is going to do routing work like a firewall, and closing this feature
It is good to prevent forwarding of source routing packets.

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
NDD-SET/DEV/IP ip_forward_src_routed 0
Turning off this feature can be a good protection against forwarding of source routing packets.

E. Linux Kernel 2.2
/sbin/sysctl-w net.ipv4.conf.all.accept_source_route=0
Discard all source address packets.
/sbin/sysctl-w net.ipv4.conf.all.forwarding=0
/sbin/sysctl-w net.ipv4.conf.all.mc_forwarding=0
Does not originate from routing frames.

F. FreeBSD
Sysctl-w net.inet.ip.sourceroute=0
Sysctl-w net.inet.ip.accept_sourceroute=0

G. IRIX
/usr/sbin/systune Ipforward to 2

6. Adjust time_wait setting settings

On some of the more busy Web servers, many sets of interfaces may be in the TIME_WAIT state, which is
Because some irregular-coded client applications are not properly handled by the socket interface, this
Can cause attacks such as DDoS.

A. AIX
No recommended settings.

B. Solaris
/usr/sbin/ndd-set/dev/tcp Tcp_time_wait_interval 60000

This parameter affects the number of times the TCP sleeve interface remains in Time_wait state, by default for a
The busy Web server is too high, so it needs to be set to below every 60 seconds, this parameter name applies with
SOLARIS7 or higher version, prior to Solaris 7, whose name is incorrect
The table is tcp_close_wait_interval.

C. Tru64 UNIX
No recommended adjustment settings.

D. HP-UX
Ndd-set/dev/tcp Tcp_time_wait_interval 60000
The socket will remain in time_wait state for no more than 60 seconds.

E. Linux Kernel 2.2
/sbin/sysctl-w net.ipv4.vs.timeout_timewait=60
The socket will remain in time_wait state for no more than 60 seconds.

F. FreeBSD
No recommended adjustment settings.

G. IRIX
/usr/sbin/systune TCP_2MSL to 60

7, adjust the radio echo response

Smurf attack is a forged address by sending ICMP 8 0 (ECHO REQUEST) information to a wide
multicast addresses, some IP stacks respond to this information by default, so this feature must be turned off. If
This host is used as a firewall (router), and shutting down this feature does not handle broadcasting.

A. AIX
/usr/sbin/no-o directed_broadcast=0
does not respond to direct broadcasts.

B. Solaris
/USR/SBIN/NDD-SET/DEV/IP Ip_respond_to_echo_broadcast 0
does not respond to direct broadcasts.
/USR/SBIN/NDD-SET/DEV/IP ip_forward_directed_broadcasts 0
Do not forward direct broadcasts.

C. Tru64 UNIX
Adjustment settings are not recommended.

D. HP-UX
NDD-SET/DEV/IP Ip_respond_to_echo_broadcast 0
does not respond to direct broadcasts.
NDD-SET/DEV/IP ip_forward_directed_broadcasts 0
Do not forward direct broadcasts. 

E. Linux Kernel 2.2
/sbin/sysctl-w Net.ipv4.icmp_echo_ignore_broadcasts=1
does not respond to direct broadcasts.

F. FreeBSD
Sysctl-w net.inet.icmp.bmcastecho=0

G. IRIX
/usr/sbin/systune allow_brdaddr_srcaddr to 0

8, for other broadcast detection adjustment

There are 2 other broadcast probes that can be exploited by malicious users, and one is that address mask queries can be used to detect
Network segment size and range. Timestamp broadcasts can map and authenticate host types.

A. AIX
/usr/sbin/no-o icmpaddressmask=0
Prevents address mask queries.

B. Solaris
/USR/SBIN/NDD-SET/DEV/IP Ip_respond_to_address_mask_broadcast 0
Prevents address mask queries.

/USR/SBIN/NDD-SET/DEV/IP Ip_respond_to_timestamp_broadcast 0
Turns off the response to a timestamp broadcast query.

C. Tru64 UNIX
No recommended adjustments.

D. HP-UX
NDD-SET/DEV/IP Ip_respond_to_address_mask_broadcast 0
Prevents the network mask from leaking host configuration.

NDD-SET/DEV/IP Ip_respond_to_timestamp_broadcast 0
Turns off the response to a timestamp broadcast query.

E. Linux Kernel 2.2
No recommended adjustments.

F. FreeBSD
Sysctl-w net.inet.icmp.maskrepl=0

G. IRIX
Use IPFILTERD to block unwanted ICMP types.

9, adjust the parameters to support RFC1948

The following adjustments will take advantage of RFC1948 (http://www.ietf.org/rfc/rfc1948.txt?number=1948)
TCP/IP serial number generation techniques to ensure that the serial numbers to a TCP socket interface are very difficult to guess:

B. Solaris
Set tcp_strong_iss=2 In/etc/default/inetinit.
This requires a reboot to make it work.

G. IRIX
/usr/sbin/systune TCPISS_MD5 to 1
(Source: Viphot)