FA-97.05
Published: 1997-05-01 00:00:00
Updated: 1997-05-01 00:00:00
-----BEGIN PGP SIGNED MESSAGE-----
******************************************************************************
------ ----- ----- --- -----
| ----- ---- | | | | |
|--- | | | | | | | |
| |-- | | | | |-- |
| | | | | | | \ |
| ----- ---- ----- ----- | \ -----
A D V I S O R Y
97.05
******************************************************************************
Topic: HP-UX SYN Flood Vulnerability
Source: CIAC
Creation Date: May 1, 1997 23:00 GMT
Last Updated: May 1, 1997 23:00 GMT
To aid in the wide distribution of essential security information,
FedCIRC is forwarding the following information from <CERT/CC advisory
or CIAC bulletin> <reference number>. FedCIRC urges you to act on
this information as soon as possible.
If you have any questions, please contact FedCIRC:
Telephone: +1 888 282 0870
Email: fedcirc@fedcirc.gov
=======================FORWARDED TEXT STARTS HERE============================
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
HP-UX SYN Flood Vulnerability
May 1, 1997 23:00 GMT Number H-50
______________________________________________________________________________
PROBLEM: A vulnerabilities have been addressed for TCP SYN flooding
denial of service
PLATFORM: HP-UX 9 and 10
DAMAGE: Networked hosts can be made unavailable.
SOLUTION: Apply patches as indicated below.
______________________________________________________________________________
VULNERABILITY Exploit details involving this vulnerability have been made
ASSESSMENT: publicly available.
______________________________________________________________________________
[ Start Hewlett-Packard Advisories ]
Document ID: HPSBUX9704-060
Date Loaded: 970501
Title: SYN Flooding Security Vulnerability in HP-UX
- - -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX9704-060, 30 April 1997
- - -------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- - -------------------------------------------------------------------------
PROBLEM: Vulnerability to 'SYN Flood' denial of service (DOS) attack
PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X
DAMAGE: Potential denial of service for network users.
SOLUTION: If protection is needed in your environment; Apply the
appropriate patch and enable/tune the defense mechanism.
A white paper and tuning script are included within this
bulletin to assist with the tuning process.
AVAILABILITY: All patches are available now.
- - -------------------------------------------------------------------------
I.
A. Background
B. Fixing the problem
C. Recommended solution
D. Impact of the patch
Please refer to the following white paper for this information.
The white paper also includes a shell archive containing the
script to enable and tune the syn-flood defense mechanism.
__________________________________________________________________________
SYN Attack And HP-UX's Solution Rev. 1
1. Introduction
This paper explains what a SYN attack is, briefly describes
what defenses are available today, and describes the HP-UX
solution available today. It is assumed that the reader
has a basic knowledge of TCP/IP and Socket. In particular,
the reader is expected to know the fields in a IP header and
a TCP header, and the handshake in establishing a TCP connection.
2. What is a SYN attack?
SYN attack is a denial of service attack in that at least one
internet port is blocked from legitimate access. The attacker
achieves this by sending enough packets to targeted ports to
completely block or severely curtail access to these ports. These
packets are legal packets in compliance with TCP/IP protocols,
except that they carry faked source addresses.
SYN attack is one of the more severe denial of service attacks,
since every faked SYN packet can disproportionately consume
a system's resources for a disproportional amount of time.
A TCP connection establishment process normally takes an
exchange of three TCP packets: an initial SYN packet from a
client, a SYN-ACK packet from a server, and a SYN-ACK-ACK packet
from the client. Since the source address of the attacker's SYN
packet is faked, the SYN-ACK-ACK packet will never come.
Until the connection establishment process times out, a
disproportional amount of system resources are occupied: a slot
in the attacked port's listen queue, memory to maintain
connection information, and CPU and network bandwidth to
retransmit the SYN-ACK packet.
A TCP listen port has a finite number of slots in its listen
queue and normally that number of slots is relatively small.
When an attacker sends enough faked SYN packets, the listen
queue can be fully occupied and subsequently deny any
legitimate SYN packet from entering into the listen queue.
3. What are the defenses today against a SYN attack?
The best defense is to stop it at the source. End systems
should not allow unauthorized users or applications to
generate any faked SYN packet. Access to raw socket interface
should be restricted to trusted users or applications.
Routers may provide a second line of defense by screening
incoming IP packets to make sure that they are actually coming
from valid sources.
Certain firewall products today also can filter off
faked IP packets.
End systems can also provide a last line of defense by
accommodating a much larger number of incoming SYN packets
and appropriately replacing those half-open connections that
have been sitting in the listen queue.
4. HP-UX's solution today
HP-UX restricts raw socket access to root. Raw socket
is not an officially supported interface for normal
users on HP-UX.
Applying the appropriate patch (or a superseding patch) from the list
below provides defense against SYN attacks that reach the machine.
Patch Number Release Hardware Platform
- - ------------------------------------------------------
PHNE_9525 9.0 s800
PHNE_10864 9.01 s700
PHNE_9100 9.03, 9.05, 9.07 s700
PHNE_9101 9.04 s800
PHNE_9102 10.01 s700
PHNE_9103 10.01 s800
PHNE_9104 10.10 s700
PHNE_9105 10.10 s800
PHNE_9106 10.20 s700
PHNE_9107 10.20 s800
A system wide kernel parameter is provided to
set a minimal length for a listen socket queue without
requiring programatic change. A replacement algorithm is
used to remove a half-open connection from the listen socket
queue when the listen socket queue is full.
4.1. Setting up a SYN attack defense on HP-UX
There are a couple kernel parameters you will have to set.
A shell script called syn_defense may be used to set these
kernel parameters: the script will modify both the core
image and the kernel file, so the modification takes place
immediately, and persists across reboots. A copy of the
syn_defense script in the form of a shar file is attached
to the end of this paper.
1. hp_syn_protect
By default, the SYN attack defense is not turned on.
To turn it on, set hp_syn_protect to 1. To turn it
off, set hp_syn_protect to 0.
As explained in more detail below, turning on SYN attack
defense will change the system behavior, and in a stress
condition can consume more memory and CPU resources even
if the system is not under attack. Because only a very
small percentage of HP systems may be at risk of SYN
attacks, the SYN attack defense is not turned on by
default.
2. so_qlimit_min
When enabled, so_qlimit_min specifies the minimum length of a
listen socket queue, applications requesting less will be given
so_qlimit_min entries.
When the socket queue limit is reached, any new incoming
TCP connection request will replace one of the pending
TCP connections in the socket queue using a HP chosen
replacement algorithm.
By default, so_qlimit_min is set to 500. This value should
comfortably defend against an attacker using a 56K baud modem.
Consult the section below for different exposures.
4.2. Determining a right so_qlimit_min value for a system
A proper value for so_qlimit_min can be derived from the
following formula that calculates the probability of a
successful connection establishment while a system is under
a SYN attack:
P = ((L-1)/L)^(T*R)
where
P = The probability a valid SYN packet can still be processed
and be turned into an established TCP connection while a
system is under a SYN attack.
L = so_qlimit_min
T = Time in seconds that it normally takes between sending
the SYN-ACK packet and receiving the SYN-ACK-ACK packet.
This can be approximated by the round trip time as
reported by the ping command.
R = Incoming rate of SYN packets in packets per second during
a SYN attack. To come up a number with a high confidence
of success, a worse case estimate may be used.
For example, the full bandwidth of a dial-up link may be
assumed to be utilized by an attacker. The intermediate
routers may be assumed not to introduce any delay between
packets. With these assumptions, the incoming rate can be
derived from the the formula below:
R = B/S,
where
B = Bandwidth in bits/sec,
S = SYN packet size in bits
= (F + IP header size + TCP header size)*(8 + I)
= (F + 20 + 20)*(8 + I),
where
F = Frame overhead in bytes per packet
I = Link overhead in bits per packet byte
A formula for so_qlimit_min can be derived from the above
probability formula:
L = 1/(1 - P^(1/(T*R)))
Following is an example showing how to estimate a desired
so_qlimit_min value.
Suppose a 70% success rate is desired during an attack
through a 56K baud SLIP dialup link. In that case,
P=.7
B=57344
F=2
I=2
S= (2 + 20 + 20)*(8+2) = 420
