UNIX IP Stack Tuning Guide v2.7

2015. 9. 10. 02:30개발/서버

UNIX IP Stack Tuning Guide v2.7


UNIX IP Stack Tuning Guide v2.7  By Rob Thomas, robt at cymru.com, 03 DEC 2000 


Introduction 


The purpose of this document is to strengthen the UNIX IP stack against 

a variety 

of attack types prevalent on the Internet today.  This document details 

the 

settings recommended for UNIX servers designed to provide network 

intensive 

services such as HTTP or routing (firewall services).  This document 

covers 

the following UNIX variants: 



        A. IBM AIX 4.3.X 

        B. Sun Solaris 7 

        C. Compaq Tru64 UNIX 5.X 

        D. HP HP-UX 11.0 (research ongoing) 

        E. Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat 

7.0) 

        F. FreeBSD 

        G. IRIX 6.5.10 



Windows NT/2000 will be covered in future releases. 


The tuning changes noted below will not remain across reboots. 

Thus, these changes should be added to a runtime commands file so 

that the changes are enacted at each boot. 


        AIX - /etc/rc.net 

        Solaris - /etc/init.d/inetinit 

        Tru64 UNIX - Use the sysconfigdb or 

dxkerneltuner command 

        HP-UX - /etc/rc.config.d/nddconf 

        Linux kernel 2.2 - /etc/sysctl.conf 

        FreeBSD - /etc/rc.conf 

        IRIX - Use the systune command 



No tuning steps should be undertaken without a keen insight into 

the purpose and effect of such steps.  It is assumed that the 

personnel who undertake such tuning are well versed in the UNIX 

kernel with bit-level understanding of TCP/IP and the RFCs that 

govern IP behavior. 




Revision History 


Version 1.0 - Created the AIX IP stack tuning guide 

Version 2.0 - Added Solaris and additional AIX tuning tips, reformated 

doc 

Version 2.2 - Added ARP tuning tips 

Version 2.3 - Added Compaq Tru64 UNIX SYN defense tips 

Version 2.4 - Added HP HP-UX 11.0 tuning tips 

Version 2.5 - Added Linux and FreeBSD tuning tips 

Version 2.6 - Added IRIX 6.5.10 and additional FreeBSD tuning tips 

Version 2.7 - Added additional HP-UX 11.0 tuning tips 




Credits 

This has become a global effort, and this document is made more rich and 

valuable thanks to the input of several very helpful folks!  Kudos and 

lauds for the folks below: 


Thanks to the Compaq Software Security Response Team for the Tru64 UNIX 

SYN flood defense pointers. 


For HP-UX 11.0, thanks to Tom Harrold for running ndd over and over at my 

every request. :-) 


Thanks to Klaus Moeller for a copious collection of Linux tuning tips. 


Thanks to Andrew Korty for the FreeBSD tuning tips. 


Thanks to Christian Lambert and Alex Icasiano of SGI for the IRIX tuning 

tips. 


Thanks, as always, to the FIRST 

community for support, questions, and feedback. 



General IP Stack Tuning Recommendations 


1. TCP send and receive spaces 


The TCP send and receive spaces directly effect the TCP window 

size parameter.  An increased window size will allow for more 

efficient transfers, particularly bulk transfers such as FTP 

and HTTP.  The default for each is not optimal, and should be 

increased to 32768 bytes.  This value should not be increased 

above 64K bytes unless the implications of 

RFC1323 

and RFC2018 

are fully understood and support for both is enabled. 


Do not enable RFC1323 without also enabling support for RFC2018. 

Remember, pipe drain is a Bad Thing[tm]. 


        A. AIX 

        /usr/sbin/no -o tcp_sendspace=32768 

        /usr/sbin/no -o tcp_recvspace=32768 



        B. Solaris 

        /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768 

        /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        The TCP send and receive spaces are set to 32768 by default 



        E. Linux kernel 2.2 

        While Linux automagically assigns the TCP send and receive 

spaces, 

                support for both RFC1323 (large window support, 

                net.ipv4.tcp_window_scaling) and RFC2018 (SACK 

support, 

                net.ipv4.tcp_sack) are enabled by default. 



        F. FreeBSD 

        sysctl -w net.inet.tcp.sendspace=32768 

        sysctl -w net.inet.tcp.recvspace=32768 



        G. IRIX 

        The default settings for IRIX are 64Kbytes for both the 

TCP send 

                and receive spaces. 





2. Socket queue defense against SYN attacks 


While great effort is undertaken to defend any network from those 

with malicious intent, several ports (largely TCP) must remain 

open to conduct business.  Internet vandals may attempt to 

exploit these ports to launch a denial of service attack.  One of 

the most popular attacks remains the SYN flood, wherein the socket 

queue of the attacked host is overwhelmed with bogus connection 

requests.  To defend against such attacks, certain UNIX variants 

maintain separate queues for inbound socket connection requests. 

One queue is for half-open sockets (SYN received, SYN|ACK sent), 

the other queue for fully-open sockets awaiting an accept() 

call from the application.  These two queues should be increased so 

that an attack of low to moderate intensity will have little to no 

effect on the stability or availability of the server. 


        A. AIX 

        /usr/sbin/no -o clean_partial_conns=1 

        This setting will instruct the kernel to randomly remove 

                half-open sockets from the q0 queue to make room for 

new 

                sockets. 



        B. Solaris 

        /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 

        The q queue holds sockets awaiting an accept() 


                call from the application. 

         

         

        /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048 

        The q0 queue contains half-open sockets. 



        C. Tru64 UNIX 

        /sbin/sysconfig -r socket sominconn=65535 

        The value of sominconn determines how many simultaneous 

incoming 

                SYN packets can be handled by the system. 

         

         

        /sbin/sysconfig -r socket somaxconn=65535 

        The value of somaxconn sets the maximum number of pending 

TCP 

                connections. 



        D. HP-UX 

        /usr/sbin/ndd -set tcp_syn_rcvd_max 1024 

        /usr/sbin/ndd -set tcp_conn_request_max 200 



        E. Linux kernel 2.2 

        /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280 

        Increases the size of the socket queue (effectively, q0). 



        /sbin/sysctl -w net.ipv4.tcp_syn_cookies=1 

        Enables support for TCP SYN cookies, which mitigates the 

effectiveness 

                of SYN floods.  However, this may cause performance 

problems for 

                large windows (see RFC1323 and RFC2018).  To read 

more about SYN 

                cookies, please review DJ Bernstein's paper 

                here. 



        F. FreeBSD 

        sysctl -w kern.ipc.somaxconn=1024 



        G. IRIX 

        The listen() queue is hardcoded to 32.  However, 

the system 

                actually enforces the limit of pending connections as 

                ((3 * backlog) / 2) + 1.  This yields a maximum 

backlog of 49 

                connections. 





3. Redirects 


A miscreant can use IP redirects to modify the routing table on a 

remote host.  In a well-designed network, redirects to the end 

stations should not be required.  Both the sending and accepting 

of redirects should be disabled. 


        A. AIX 

        /usr/sbin/no -o ipignoreredirects=1 

        /usr/sbin/no -o ipsendredirects=0 



        B. Solaris 

        /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1 

        /usr/sbin/ndd -set /dev/ip ip_send_redirects 0 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        /usr/sbin/ndd -set /dev/ip ip_send_redirects 0 



        E. Linux kernel 2.2 

        /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 

        /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 



        F. FreeBSD 

        sysctl -w net.inet.icmp.drop_redirect=1 

        sysctl -w net.inet.icmp.log_redirect=1 

        sysctl -w net.inet.ip.redirect=0 

        sysctl -w net.inet6.ip6.redirect=0 



        G. IRIX 

        /usr/sbin/systune icmp_dropredirects to 1 





4. ARP cleanup 


It is possible for a miscreant to create a resource exhaustion or 

performance degredation by filling the IP route cache with bogus 

ARP entries.  In Solaris, there are two parameters that govern the 

cleanup interval for the IP route cache.  For unsolicited ARP 

responses, the parameter to be tuned is arp_cleanup_interval.  In 

AIX, the cleanup interval is governed by the value of arpt_killc. 

However, this parameter governs both solicited and unsolicited ARP 

entries.  For this reason, it is likely best to leave the parameter 

at the default setting of 20 minutes. 


        A. AIX 

        /usr/sbin/no -o arpt_killc=20 



        B. Solaris 

        /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 

60000 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        By default set to five minutes. 



        E. Linux kernel 2.2 

        No tuning recommendations. 



        F. FreeBSD 

        sysctl -w net.link.ether.inet.max_age=1200 



        G. IRIX 

        No tuning recommendations. 





5. Source routing 


With source routing, an attacker can attempt to reach internal IP 

addresses - including RFC1918 addresses.  It is important to disable 

the acceptance of source routed packets to prevent subtle probes of 

your internal networks. 


        A. AIX 

        /usr/sbin/no -o ipsrcroutesend=0 

        Disable the sending of source routed packets. 



        /usr/sbin/no -o ipsrcrouteforward=0 

        This is important if the box is routing, e.g. a firewall. 

                Disable this feature to prevent the host from 

forwarding source 

                routed packets.         



        B. Solaris 

        /usr/sbin/ndd -set /dev/ip ip_src_route_forward 0 

        This is important if the box is routing, e.g. a firewall.   

                Disable this feature to prevent the host from 

forwarding source 

                routed packets. 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        ndd -set /dev/ip ip_forward_src_routed 0 

        Disable this feature to prevent the host from forwarding 

source 

                routed packets. 



        E. Linux kernel 2.2 

        /sbin/sysctl -w 

net.ipv4.conf.all.accept_source_route=0 

        Drop all source route packets. 



        /sbin/sysctl -w net.ipv4.conf.all.forwarding=0 

        /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0 

        Do not forward source routed frames. 



        F. FreeBSD 

        sysctl -w net.inet.ip.sourceroute=0 

        sysctl -w net.inet.ip.accept_sourceroute=0 



        G. IRIX 

        /usr/sbin/systune ipforward to 2 





6. TIME_WAIT setting 


On a busy web server, many sockets may linger in the TIME_WAIT state. 

This is caused by improperly coded client applications that do not 

properly shut down a socket.  This can also be used as a type of DDoS 

attack. 


        A. AIX 

        No tuning recommendations. 



        B. Solaris 

        /usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 

60000 

        This parameter effects the amount of time a TCP socket will 

                remain in the TIME_WAIT state.  The default is quite 

high 

                for a busy web server, so it should be lowered to 

60000 

                milliseconds (60 seconds).  The parameter name was 

corrected 

                in Solaris 7 and higher.  Prior to Solaris 7, the 

parameter 

                was incorrectly labeled as tcp_close_wait_interval. 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        ndd -set /dev/tcp tcp_time_wait_interval 60000 

        Sockets will linger in TIME_WAIT state no more than 60 

seconds. 



        E. Linux kernel 2.2 

        /sbin/sysctl -w net.ipv4.vs.timeout_timewait=60 

        Sockets will linger in TIME_WAIT state for no more than 60 

seconds. 



        F. FreeBSD 

        No tuning recommendations. 



        G. IRIX 

        /usr/sbin/systune tcp_2msl to 60 





7. Broadcast ECHO response 


Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a 

broadcast address from a spoofed address.  Some IP stacks will respond, 

by default, to such messages.  This should be disabled.  Further, if the 

host is a firewall (router), it should not propogate directed broadcasts. 


        A. AIX 

        /usr/sbin/no -o directed_broadcast=0 

        Do not respond to directed broadcasts. 



        B. Solaris 

        /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 

        Do not respond to directed broadcasts. 



        /usr/sbin/ndd -set /dev/ip 

ip_forward_directed_broadcasts 0 

        Do not forward directed broadcasts. 



        C. Tru64 UNIX 

        No tuning recommendations. 



        D. HP-UX 

        ndd -set /dev/ip ip_respond_to_echo_broadcast 0 

        Do not respond to directed broadcasts. 



        ndd -set /dev/ip ip_forward_directed_broadcasts 0 

        Do not forward directed broadcasts. 



        E. Linux kernel 2.2 

        /sbin/sysctl -w 

net.ipv4.icmp_echo_ignore_broadcasts=1 

        Do not respond to directed broadcasts. 



        F. FreeBSD 

        sysctl -w net.inet.icmp.bmcastecho=0 



        G. IRIX 

        /usr/sbin/systune allow_brdaddr_srcaddr to 0 





8. Other broadcast probes 


There are two other broadcast probes that a miscreant could utilize 

against a network.  The address mask query can be used to map out the 

size of the netblock, and set a range for further probes.  The 

timestamp broadcast is another means of mapping and fingerprinting 

hosts. 


        A. AIX 

        /usr/sbin/no -o icmpaddressmask=0 

        Prevent address mask queries. 



        B. Solaris 

        /usr/sbin/ndd -set /dev/ip 

ip_respond_to_address_mask_broadcast 0 

        Prevent address mask queries. 



        /usr/sbin/ndd -set /dev/ip 

ip_respond_to_timestamp_broadcast 0 

        Disable timestamp broadcast query response. 



        C. Tru64 UNIX 

        No tuning recomendations. 



        D. HP-UX 

        ndd -set /dev/ip ip_respond_to_address_mask_broadcast 

        Prevent the host from revealing the configured netmask. 



        ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 

    Disable timestamp broadcast query response. 



        E. Linux kernel 2.2 

        No tuning recommendations. 



        F. FreeBSD 

        sysctl -w net.inet.icmp.maskrepl=0 



        G. IRIX 

        Use ipfilterd to block unwanted ICMP types. 





9. Support for RFC1948 


This will utilize RFC1948 

sequence number generation techniques to ensure that the sequence 

number for a given TCP socket is very difficult to guess.  This 

tactic prevents TCP session hijacking, which could be quite an issue 

with e-commerce. 


        B. Solaris 

        Set TCP_STRONG_ISS=2 in /etc/default/inetinit. 

        This will require a reboot to take effect. 



        G. IRIX 

        /usr/sbin/systune tcpiss_md5 to 1 

'개발 > 서버' 카테고리의 다른 글

sge 통신 방식을 ssh 로 전환  (0) 2015.09.10
ddos 방화벽 룰  (0) 2015.09.10
죽은 프로세스 살리기  (0) 2015.09.10
How to kill zombie process [closed]  (0) 2015.09.10
DNS 시스템에 대한 위협에 대해  (0) 2015.02.03