[Info-vax] Harden TCPIP Srv OVMS again SYN FLOOD attacks
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Tue Aug 14 12:55:04 EDT 2018
Den 2018-08-14 kl. 17:42, skrev Stephen Hoffman:
> On 2018-08-13 16:42:23 +0000, Rod Regier said:
>
>> The following cookbook will harden the IP stack for TCPIP Services for
>> OpenVMS V5.3 and above against SYN FLOOD attacks.
>
> For folks interested in this topic, see RFC 4987 for the common mitigations
> for a TCP SYN flood attack.
>
> https://tools.ietf.org/html/rfc4987
>
> And some introductory fodder on this particular mess:
>
> https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-34/syn-flooding-attacks.html
>
>
>> These updates override the cautious HPE distributed defaults. The
>> default was based on "small memory"
>> somaxconn=65535
>> sominconn=65535
>> ...
>
> The above increases the number of available sockets.
It is the queue size/lenght to a specific socket, not? And the mitigation
for SYN FLOOD is combined with lowering the timeout for packages in the
queue before they are deleted. I guess the thought is to make it harder
to reach the max number of queued SYN packages (connects).
What I do not fully understand is if that timeout functionallity can
detect "bad" packages from "good". If not, I guess that good packages
can also be deleted. Now, if not some firewall or similar detects a
large volume of SYNs from a specific address and then shuts it down.
But OK, you get a more headroom before that specific service dies.
>
> Which means the server will now have more sockets available to flood.
I think it will have larger queues for the available sockets.
Not more sockets.
Some related info:
http://support.sas.com/kb/11/479.html
http://h41379.www4.hpe.com/doc/732final/6631/6631pro_005.html (2.1.5.1)
https://docs.oracle.com/cd/B12037_01/server.101/q20201/misc/perf-dec.html
http://www.frascati.enea.it/documentation/tru6450/ARH9GATE/CHNTXXXX.HTM
https://ftp.unpad.ac.id/orari/library/library-ref-eng/ref-eng-1/network/network-security/avoidtcpsynattack.txt
More information about the Info-vax
mailing list