[Info-vax] Harden TCPIP Srv OVMS again SYN FLOOD attacks
Rod Regier
rregier at dymaxion.ca
Mon Aug 13 12:42:23 EDT 2018
As a gift to community.
The following cookbook will harden the IP stack for TCPIP Services for OpenVMS V5.3 and above against SYN FLOOD attacks. This can be useful if you are still exposing an OpenVMS web server to the outside world. These updates override the cautious HPE distributed defaults. The default was based on "small memory"
system configurations. I'm running 1G or above in my installed base so I'm not worried about memory depletion from this specific change.
$!
$! Before
$!
$SEA SYS$SPECIFIC:[TCPIP$ETC]sysconfigtab.dat ":","="
$CREATE temp_table_mgr.stanza
$DECK
socket:
#
# To display current "socket" values:
#
# tcpip sysconfig -q socket
#
# HP TCP/IP Services for OpenVMS
# Tuning and Troubleshooting
# AA-RN1VB-TE
# Section 2.1.5.1 and 2.3.1
#
# Harden IP stack against SYN FLOOD attacks
#
somaxconn=65535
sominconn=65535
$EOD
$SET PROC/PRIV=ALL
$TCPIP SYSCONFIGDB -a -f temp_table_mgr.stanza SOCKET
$DEL/NOLOG temp_table_mgr.stanza;
$!
$! after
$!
$ECHO "++++++++++++++++++++++++++++++++++"
$ECHO ""
$SEA SYS$SPECIFIC:[TCPIP$ETC]sysconfigtab.dat ":","="
Recycle of TCPIP Services to bring change into effect required.
Overall server node reboot often is the "simple" way to do that
since other services tend to be layered on top of TCPIP Services.
I did a before/after test probing my test server running the OSU web server
using a SYN FLOOD attack generated from Hyenae. The difference was like night and day.
More information about the Info-vax
mailing list