__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN SUN's TCP SYN Flooding Solutions October 14, 1996 22:00 GMT Number H-02 ______________________________________________________________________________ PROBLEM: TCP-based "SYN flood" denial-of-service attacks. PLATFORM: Solaris and SunOS systems. DAMAGE: Bombarding a system with dozens of falsified connection requests a minute can seriously degrade its ability to give service to legitimate connection requests. This is why the attack is said to "deny service" to the system's users. SOLUTION: Implement SUN's suggested solutions described in section I.C. ______________________________________________________________________________ VULNERABILITY This denial-of-service attack has been discussed in CERT(sm) ASSESSMENT: Advisory CA-96.21 and CIAC Bulletin G-48. Attacks against several prominent service providers have been well documented in the last several weeks in Time magazine, the Wall Street Journal, and many other national and international periodicals. ______________________________________________________________________________ [ Start of SUN Bulletin ] ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00136, 9 Oct 1996 ============================================================================= BULLETIN TOPICS In this bulletin Sun discusses the TCP-based "SYN flood" denial- of-service attack. We suggest ways to tune most Solaris/SunOS systems to make them more resistant, and explain which releases and configurations stand up best. We also discuss which customers are most likely to be affected, and the degree to which firewalls and similar insulating arrangements can protect an enterprise from this attack. This Bulletin also describes the patches and other changes Sun commits to making in the future in response to the emergence of such attacks. This denial-of-service attack, which affects all operating systems which implement the TCP protocol, has previously been discussed in CERT(sm) Advisory CA-96.21, issued on 19 September 96. Attacks against several prominent service providers have been well documented in the last several weeks in Time magazine, the Wall Street Journal, and many other national and international periodicals. I. What has Happened, Who is Affected, What to Do II. Understanding the Vulnerability III. Technical Recommendations IV. Plans and Schedules APPENDICES A. Queuing Capacity Vs. Attack Rates B. How to obtain Sun security patches C. How to report or inquire about Sun security problems D. How to obtain Sun security bulletins or short status updates Send Replies or Inquiries To: Mark Graff Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-786-5274 Fax: 415-786-7994 E-mail: security-alert@Sun.COM Keywords: TCP, SYN, denial-of-service Patchlist: Cross-Ref: CERT CA-96.21 ----------- Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00136, 9 Oct 1996 ============================================================================= I. What has Happened, Who is Affected, What to Do A. What has Happened Late this summer, an electronic "hacker journal" published complete source code for a program to mount a so-called "TCP SYN flood" attack, in which a targeted system is bombarded with requests for a certain kind of network connection. Such an attack cannot compromise the security of a targeted system--no one can "break in" using it--but it can tie up the system, making it unavailable to respond to legitimate users. Some systems may even crash, if key system resources are exhausted. Within a few weeks after the release of the source code, several Internet service providers had been victimized by this "denial-of- service" attack. To date, published reports indicate that several dozen such attacks have been carried out, not only against commercial service providers but also popular non-profit sites, such as the Internet Chess Club. Because the complete source to the program, with instructions for use, was published, it takes little technical knowledge to mount the attack. Further, because the program takes steps to conceal which system is sending the packets, it's proved difficult (though not impossible) to trace an attack to its source. For these reasons--and although relatively few sites out of the Internet's tens of millions have been affected--Sun, along with many other software makers and computer security experts around the world, has worked hard since the day the attacks were announced to evaluate both the attack and the many countermeasures which have been proposed. This bulletin summarizes what we have learned, and gives the best advice we have today about which Sun customers may be vulnerable --and what those sites can do to protect themselves. B. Who is Affected The only systems which are vulnerable to this attack are those (such as Web servers, FTP servers, or mail servers) which directly accept TCP connection requests from other systems on the Internet. Most systems behind firewalls are safe. However, some firewalls are configured to pass through connection requests on particular ports to server systems behind the firewall. In such cases the server could well be vulnerable to a SYN flood attack. If you are not sure whether your systems accept TCP conection requests directly from systems on the Internet, check with your Network Administrator. C. What to Do If your Solaris/SunOS systems are vulnerable to the TCP SYN flood attack, there are several immediate steps you may be able to take to protect them. 1. Apply the parametric adjustments and other changes described in our "Technical Recommendations" section as soon as possible. (Note that some of the changes require access to source code.) When patches become available, as described under "Plans and Schedules", obtain and install them. 2. Consider adding additional physical memory to any systems which, as described in section II.D.3, would benefit from it. 3. If your system is running one of the older versions of the SunOS operating system, such as SunOS 4.1.3, 4.1.3_U1, or 4.1.4, or 5.3 (Solaris 2.3), consider upgrading to a later release. Solaris 2.4, 2.5, and 2.5.1 systems stand up to this attack much better than earlier releases, especially after tuning, because of the cumulative effect of several TCP-related improvements. The earlier releases can withstand only very light attacks, if any. Some details are provided under "Understanding the Vulnerability". 4. Review which incoming ports your system services. Pare that list down to essentials. One way to determine which ports your system is currently listening to by executing a command such as: netstat -a -f inet | grep LISTEN On Solaris 2.4 and later systems, you can obtain much the same information with the simpler command: ndd /dev/tcp tcp_listen_hash To reduce the number of ports listened to by inetd, edit the file /etc/inetd.conf and comment out any unneeded entries. 5. Consider installing--especially if you are a 4.1.x customer--a firewall, or a hardware filter, or one of the new third-party software packages. (Sun has not tested and does not currently endorse any of the new products, such as Checkpoint's "SYNDefender", now being marketed to defend against this attack.) II. Understanding the Vulnerability A. How the SYN Flood Attack Works The attack exploits a basic design element of the "TCP protocol", a set of rules developed many years ago to govern a certain class of conversations between computers. Here is a description, extracted from the recent CERT advisory CA-96.21. When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections--telnet, Web, email, etc. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow: Client Server ------ ------ SYN--------------------> <--------------------SYN-ACK ACK--------------------> Client and server can now send service-specific data The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to the client but has not yet received the ACK message.... The attacking system sends [a flood of] SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. Bombarding a system with, say, dozens of falsified connection requests a minute can seriously degrade its ability to give service to legitimate connection requests. This is why the attack is said to "deny service" to the system's users. B. How To Tell If Your System Is Under Attack 1. Checking for Connections in the "SYN_RCVD" State A system under attack may appear to be running normally in most respects. Outgoing connections, for example, and logged-in users may be serviced normally. The symptoms of the attack will most likely be noticed when someone attempts an incoming connection --for example, by trying to reach a Web site on the target system. Depending on the rate of attack (and how resistant it is), the system will react sluggishly, or not at all, to such incoming connection requests. One way a system administrator can check to see whether an attack is in progress is to monitor the number of TCP connections in the "SYN_RCVD" state, via a command such as the following. netstat -an -f inet | grep SYN_RCVD | wc -l Comparing the value returned by this command to a known-normal value will give a good indication of whether the system is under attack. 2. Using TCP Transaction Statistics The above check for the "SYN_RCVD" state will work for all Solaris/SunOS systems. More refined tools are available under Solaris 2.x systems, which maintain TCP transaction statistics. Display the TCP transaction statistics with a command such as: netstat -s -P tcp The "tcpTimRetransDrop" parameter shows the number of aborts since boot time due to abort timer expirations. This count includes both SYN requests and established TCP connections. The "tcpListenDrop" parameter, introduced in Solaris 2.5.1, shows the number of SYN requests that have been refused since boot time due to "backlog full" conditions. You may see occasional "tcpListenDrop" incidents on a normal, busy 2.5.1 system. (This can happen, for example, when the loaded system is not able to schedule the server daemon soon enough to service incoming SYN requests, so that they fill up the daemon's backlog queue.) But if you see the "tcpListenDrop" count going up very quickly, with "tcpTimRetransDrop" events following that rise, your system may well be under a SYN attack. C. Our Testing The first incidents were announced a few weeks ago. Since then Sun has obtained several versions of SYN flood attack software, and tested the most effective of them against every supported SunOS version. A complex mix of hardware configurations were included in the testing, being combined with the different operating system releases to produce a test matrix with dozens of combinations. Basing our trials on publicly and privately obtained information about the rates and durations of the attacks, we reproduced in our testing two common modes. The "light" attack consisted of a few falsified SYN requests a second. The "heavy" attack consisted of hundreds (even thousands) such packets per second. D. How Sun Systems Stand Up Our testing indicates that even a light SYN flood attack will often succeed against Solaris/SunOS systems which have not been either shielded from it or hardened against it. After such steps have been taken, newer and larger systems can generally withstand even a heavy attack; systems running older releases of SunOS--especially those with relatively small amounts of memory, say 64 MB--still succumb. We have seen the following regularities apply. 1. Faster hardware does better than slower hardware. The CPU time required to handle the flood of connection requests represents less of a resource drain. 2. Newer versions of SunOS react much better than older versions. Specifically, we have found that Solaris 2.5.1, 2.5, and 2.4 (SunOS 5.5.1, 5.5, and 5.4) perform better under attack than SunOS 5.3, 4.1.4, 4.1.3_U1, and 4.1.3. 3. Systems with plenty of physical memory react better than systems with less memory, so long as the operating system is able to make use of the extra memory to create and manage a sizable queue. Systems with only 64 MB of memory may well benefit from an increase. Systems already at 128 MB or above might not. See appendix A for a formula you can use to help make this determination. SunOS 4.1.x systems cannot effectively make use of more than 2 MB of memory for queue entries, because of a systemic limitation in the management of "mbufs". For this reason adding extra memory will not help harden a 4.1.x system to this attack. SunOS 5.3 (Solaris 2.3) also fares little better under this attack with "extra" memory, though for different reasons. The capacity to cope with memory demands dynamically was one of the features improved in Solaris 2.4. It shows. 4. Systems which do not need to service legitimate connection requests over slow asynchronous lines fare much better than those which do. This is because setting a very low timeout value for connection requests helps the system clean up fake requests quickly, but may cause an unacceptably high timeout rate for legitimate connections over slow links. Our conclusion after testing: without adjustment, no version of Solaris/SunOS can be relied upon to withstand a heavy (hundreds of packets a second) SYN flood attack. After parametric tuning, Solaris 2.4 and later releases stand up very well. Earlier versions, including Solaris 2.3, may withstand a very light attack but remain susceptible to moderate and heavy ones. III. Technical Recommendations The two most effective adjustments which you can make quickly to protect your Solaris/SunOS systems against the SYN flood attack are to (1) shorten the value of the abort timer, and (2) lengthen the backlog queue for those TCP ports which might be bombarded. On Solaris 2.x systems, these changes can be made using the ndd program. Rebuilding the kernel is required to adjust the behavior of 4.1.x systems. The two changes each increase the capacity of the system to queue and process all TCP connection requests, whether valid or invalid. Increasing the length of the backlog queue will have no effect unless you also make an adjustment involving the listen() call on the affected port(s). You will need to either rebuild from source the listener applications your systems use, or patch the binaries. See paragraph C below for some more information. Lowering the abort timeout is a very effective measure to take against SYN attacks. Changing this parameter, however, will have a side effect that some sites may find unacceptable: outgoing connection requests, initiated by users already on the adjusted system, will time out in less time than before. This side effect occurs because the system uses the same abort timer for both incoming and outgoing connections. Will adding physical memory improve your system's ability to withstand the attack? It's possible; the answer depends on how much memory your system has now, how many ports service incoming connections, how low you can set the abort timer value, and which version of the operating system (see section II.D.3) your system is running. See Appendix A for a more detailed discussion of the relationship between the effects of queue length, abort timeout, and available memory. For information about more sophisticated, design-level approaches we are working on (which all involve source code changes), see section IV. A. Decreasing the Abort Timeout Value Solaris/SunOS systems are distributed with timeout values set either to four minutes (SunOS 5.3 and earlier 5.x) or three minutes (SunOS 5.4 and later). For 4.1.x the timeout is 75 seconds. These values were selected to ensure reasonable performance over slow asynchronous lines, which can incur very long delays. Lower values allow the system to purge falsified connection requests faster. In our testing, values in the range of ten seconds gave the best results in configurations which did not include asynchronous lines. However, setting the abort timer to such a low value may very likely cause unsatisfactory results if connections involving asynchronous lines must be serviced. In those cases, a value in the range of one minute may give more satisfactory results. 1. Instructions for Solaris 2.x systems. On Solaris 2.x systems, you can set the abort timer value with a command similar to: ndd -set /dev/tcp tcp_ip_abort_cinterval 10000 The timeout value, here ten seconds, is given in milliseconds. To make the change permanent, add the command to the file /etc/init.d/inetinit. Note that, as described above, this new value will also affect outgoing connections. 2. Instructions for SunOS 4.1.x systems. We list here two possible approaches. Each involves rebuilding the kernel. Note that because the value is interpreted here as being in half-second units, you must change the parametric value to 20 to reduce the timeout to, for example, 10 seconds. a. Place the value of the abort timer in a variable, so that it can be changed with adb. This approach is the one we expect to take in an upcoming 4.1.x kernel patch. Here are diff files (the example is taken from our 4.1.4 source) showing one way to effect that change. tcp_input..c: > /* adjustable variable to replace TCPTV_KEEP_INIT */ > int tcptv_keep_init = TCPTV_KEEP_INIT; 444c446 < tp->t_timer[TCPT_KEEP] = TCPTV_KEEP_INIT; --- > tp->t_timer[TCPT_KEEP] = tcptv_keep_init; After editing the file, you would need to put the modified tcp_input.c file in /sys/netinet and rebuild a kernel. b. Change the abort timer value parameter, TCPTV_KEEP_INIT, and rebuild the kernel. The parameter is defined in the header file /sys/netinet/tcp_timer.h. This approach is slightly simpler but has the side effect on outgoing connections discussed earlier. After editing the header file, you would need to rebuild a kernel, ensuring that the tcp_input.c was re-compiled. B. Lengthening the Per-Port Backlog Queue Solaris 2.4 and 2.3 systems, and 4.1.x systems, are distributed with a maximum backlog queue length of 5. For Solaris 2.5 and 2.5.1, the value was increased to 32. To harden your system against SYN flood attacks, you probably need a value in the thousands. In the examples below we show how to set the actual per-port max value to 8,192. During our testing the number of queue entries never exceeded this number, no matter how fast we bombarded the system with SYN requests. 1. Instructions for Solaris 2.x systems. Lengthening the backlog queue is a two-step process. Before increasing the value of the parameter which controls how many connections may be queued per port, it is necessary to change the maximum value the system will range-check the new setting against. a. First, change the upper limit the system will enforce. This can be done with adb. One approach is to effect the change in a startup file, then reboot the system. To change the upper limit to a value of 10,240, append the following line to the file /etc/init.d/inetinit: echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem b. Next, change the system parameter specifying the per-port backlog queue length. This can be done with the ndd program. ndd -set /dev/tcp tcp_conn_req_max 8192 The parametric value you specify must be less than or equal to the upper limit set in the previous step (as in this case the value of 8,192 is less than the upper limit of 10,240). After executing the ndd command, you will need to restart the listener daemons for the change to tcp_conn_req_max to have any effect. The queue data structures are created at the time the listen() call is handled. To make the change permanent, add the command to the file /etc/init.d/inetinit. 2. Instructions for SunOS 4.1.x systems. We list here three possible approaches. The first two are equivalent. All involve rebuilding the kernel. What is the best value for SOMAXCONN, the maximum per-port backlog queue value parameter? The answer will vary, depending on how your system is used. Values between 100-500 are good places to start. Just how high a value can safely be used depends primarily on how many ports are likely to be attacked. In SunOS 4.1.x systems only 2MB of memory can be allocated for mbufs. A heavy attack into a long queue can exhaust the system's supply of mbufs quickly. Since SOMAXCONN is used to limit the queue length for each port, a value of 1,000 may be safe if connections to only one port (to a Web server,for example) are passed through by a packet-filtering firewall or router. A conservative approach, then, might be to minimize the number of incoming ports serviced (N), then set SOMAXCONN so that N * SOMAXCONN < 1000 Since each queue entry consumes about 600 bytes of memory, the total amount of memory dedicated to queue entries when the system was under attack would then be 600,000--more than one-fourth the total mbuf allocation. a. Change the maximum per-port backlog queue value parameter, SOMAXCONN, and rebuild the kernel. The parameter is defined in the header file /sys/sys/socket.h. b. Place the value in a variable, so that it can easily be changed with adb. This more flexible approach is the one we expect to take in an upcoming 4.1.x kernel patch. Here are diff files (again from 4.1.4) showing one way to effect that change. uipc_socket.c: > /* adjustable variable to replace SOMAXCONN */ > int somaxconn = SOMAXCONN; > 119c122 < so->so_qlimit = MIN(backlog, SOMAXCONN); --- > so->so_qlimit = MIN(backlog, somaxconn); After editing the files, you would need to put the modified uipc_socket.c in /sys/os and the modified tcp_input.c in /sys/netinet and rebuild a kernel. Note that since so_qlimit (the receive queue limit) is the MIN() of the application-specified backlog value and somaxconn, listening applications must be restarted after a change to the new variable somaxconn is made. c. Modify the kernel code which uses SOMAXCONN, causing it to disregard the application-specified backlog and substitute the same (presumably higher) value for each port. We have not tested this approach under production conditions and stop short, at this point, of recommending it. uipc_socket.c: > /* adjustable variable to replace SOMAXCONN */ > int somaxconn = SOMAXCONN; > 119c122 < so->so_qlimit = MIN(backlog, SOMAXCONN); --- > so->so_qlimit = somaxconn; /* NOT RECOMMENDED */ C. Increasing the Number of Connections the Listener Processes Can Service As stated earlier, increasing the length of the backlog queue will have no effect unless you also make an adjustment involving the listen() call on the affected port(s). That is, listening applications will need to be rebuilt to increase the requested backlog value, so that the new SOMAXCONN value is reflected in so_qlimit. Three listening applications found on most UNIX systems are in.named, sendmail, and inetd. (Many sites also run their own customer applications.) So one example of a listener program which will need to be changed is inetd, which issues the listen() call on behalf of the daemons for which it watches ports. We expect to issue a patch for inetd in the near future (see section IV.D). That patch is likely to add to inetd the ability to specify on the command line the number of connections to which inetd will listen on a particular port. Until such a patch is available, customers with source licenses may want to rebuild inetd, implementing either the new feature described above or the following, simpler change. The change is once again shown with reference to SunOS 4.1.4 source. inetd.c: 656c656 < listen(sep->se_fd, 10); --- > listen(sep->se_fd, 1000000); 705c705 < listen(sep->se_fd, 10); --- > listen(sep->se_fd, 1000000); 1247c1276 < qlen = 10; --- > qlen = 1000000; 1324c1353 < listen(sep->se_fd, 10); --- > listen(sep->se_fd, 1000000); 1365c1394 < qlen = 10; --- > qlen = 1000000; 1433c1462 < listen(sep->se_fd, 10); --- > listen(sep->se_fd, 1000000); The effect of these edits would be to cause inetd to always specify in the listen() call that it could handle 1,000,000 simultaneous connections. The effective value would thus be the system's upper limit. IV. Plans and Schedules The parametric adjustments we have discussed can bring about significant improvement. But they do not represent a complete solution to the problems posed by the SYN flood attack. The principal drawbacks are: 1. Lowering the abort timer value to small values (on the order of ten seconds) is not practical when slow asynchronous lines must be serviced. Service providers may find this dilemma particularly difficult to resolve--unless all access to their systems is via slow lines, in which case the attack rate will be low, and long timeouts values may be acceptable. 2. Increasing the backlog queue to very large (on the order of 10K) means that, when the system is under attack, falsified requests will consume several megabytes of memory. This memory, and the CPU cycles needed to handle the requests and operate the timeouts, are resources wasted when the system must treat every request in the same way. 3. Modifying system parameters to allow a larger maximum backlog queue length has no effect without other changes. The kernel will only insert into a port's queue however many connection requests the servicing application announced it could handle at the time it issued the listen() system call. In some applications, the listen backlog size is configurable. In others, the size is hard-coded. Unfortunately, for inetd (a program which itself serves as a listener on behalf of other programs) the value used for the backlog size is hard-coded. So inetd must be re-compiled in order for a change in the system maximum to have any effect on ports on which inetd is listening. Better solutions require algorithmic re-design at the source level. A. Design-Level Changes Being Considered Sun is currently testing several possible new algorithms to deal with SYN flood and similar attacks. Many of these possible changes were suggested and analyzed in the informal discussions that have arisen amongst experts worldwide seeking defensive countermeasures. Some of the methods being considered for inclusion in some Solaris/SunOS releases are: 1. Implement an algorithm (perhaps a combination of "random drop" and "oldest drop") to drop queue members when the backlog queue is full. 2. Tune the networking code to handle large numbers of SYN requests more efficiently by (for example) changing the listener queue to use more efficient data structures, such as hash tables. 3. Give priority to requests which originate from sources with which successful handshakes have already been concluded in the past. In addition, many of the above methods might be combined with an adaptive approach to produce behavior which varies depending on whether or not the system seems to be under attack. B. OS Versions For Which Algorithmic Changes Are Being Developed Sun will develop and adopt defensive techniques, similar to those outlined above, in a future release of Solaris/SunOS. Some of these techniques are already being tested in our development labs for possible inclusion in the next release. In addition, Sun commits to producing patches representing an appropriate subset of such techniques for the following versions of Solaris/SunOS: Solaris 2.5.1, 2.5, and 2.4 (SunOS 5.5.1, 5.5, and 5.4 respectively). Patches will be supplied for all supported hardware platforms. C. OS Versions For Which No Algorithmic Changes Are Planned No design-level algorithmic changes are planned for the following versions of Solaris/SunOS: 5.3 (Solaris 2.3), 4.1.4, 4.1.3_U1, and 4.1.3. This decision was reached after careful study of several engineering options and their concomitant benefits, resource commitments, and risks. Sun will produce patches for these releases in the near future, however, which make it possible for customers without source code to implement the parametric adjustments described in the Technical Recommendations section. We also encourage all customers who may be affected by this new attack to investigate third-party solutions such as those alluded to earlier. Note that the SYN flood attack is not the result of any system bug, defect, or flaw, nor any error in implementing the TCP protocol. Rather, it represents the stark difference between the world in which TCP was designed and the Internet environ- ment we work in and live in today. The decision to not develop algorithmic changes for these older releases does not represent any change in Sun's commitment to provide fixes, free of charge, for all security bugs in supported releases. D. Schedule of Upcoming Patches Sun will produce patches in the near future to facilitate the application of parametric changes to SunOS 4.1.x systems. We expect that these patches, which will appply to the kernel and to inetd, will be available in two weeks or less. Sun will also produce inetd patches for all supported Solaris 2.x releases. We expect these patches to be available within three weeks. As described earlier, Sun will also release kernel patches for Solaris 2.4 and later releases which implement design-level changes. We will give these changes an extremely high priority in the development and patch processes. Official patches may take as long as two or even three months to produce, as a result of the testing required of every kernel patch; but preliminary patches should be available within 30 days for testing by interested customers. All of the patches described above will be announced via our usual methods. In addition, we will issue within 30 days a supplemental Sun Bulletin detailing the algorithms we have selected and the exact dates we expect the patches to be available. APPENDICES A. Queuing Capacity Vs. Attack Rates 1. The arithmetical relationships The relationship between the effects of queue length, abort timeout, and available memory is shown by the following calculations. Each entry in the backlog queue takes up roughly 600 bytes. Let: T = the setting of the abort timer, in seconds; L = the backlog limit of the listener queue, per port, in bytes; N = the number of ports which must service SYN connections; R = the rate of all incoming SYN requests on a given port; and RTT = Round-trip-time between the client and the server. Then we can calculate the total amount of memory potentially consumed by a full-out SYN attack on all ports, filling all queues, as: N * L * ~600 So the total for, say, 25 ports with queues 8,192 entries long would be 25 ports * 8,192 entries * ~600 bytes/entry or about 120MB. This calculation shows why an increase from 64 MB to 128 MB may help your system cope with an attack, and also why it is important to determine and reduce the number of listening ports. 2. Memory limits On Solaris 2.x systems, the memory the system allocates to the queues comes from the kernel heap. Adding physical memory beyond 64 MB may not increase the size of the heap, which is itself allocated from the virtual address space available to the kernel. The maximum memory available to the kernel varies depending on the hardware platform. Some common values are 100MB for sun4m machines, 240-250MB for sun4d machines, and more than 2GB for sun4u processors. On SunOS 1.x systems, of course, the allocation must come from the 2MB mbuf limit. 3. Queue overflow and timeouts If a port is under attack, and the queue is filling up, then all incoming SYN requests (good or faked) will continue to be queued so long as L/T > R When the SYN arriving rate R is greater than L/T, however, then R - L/T packets/sec will be dropped. At that point, therefore, a legitimate SYN request may be lost in the flood of fakes. Of course, for any request, if RTT > T, the request will time out. B. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - SunSolve Online - Local Sun answer centers, worldwide - SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. The ftp.uu.net and ftp.eu.net sites are no longer supported. 3. About the checksums So that you can quickly verify the integrity of the patch files themselves, we supply in each bulletin checksums for the tar archives. Occasionally, you may find that the listed checksums do not match the patches on the SunSolve or SunSite database. This does not necessarily mean that the patch has been tampered with. More likely, a non-substantive change (such as a revision to the README file) has altered the checksum of the tar file. The SunSolve patch database is refreshed nightly, and will sometimes contain versions of a patch newer than the one on which the checksums were based. In the future we may provide checksum information for the individual components of a patch as well as the compressed archive file. This would allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. In the meantime, if you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. [ End of SUN Bulletin ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) G-40: SGI admin and user Program Vulnerabilities G-41: Vulnerability in BASH Program G-42: Vulnerability in WorkMan Program G-43: Vulnerabilities in Sendmail G-44: SCO Unix Vulnerability G-45: Vulnerability in HP VUE G-46: Vulnerabilities in Transarc DCE and DFS G-47: Unix FLEXlm Vulnerabilities G-48: TCP SYN Flooding and IP Spoofing Attacks H-01: Vulnerabilities in bash RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST Conference Announcement, Security and Web Search Engines, Microsoft Word Macro Virus Update