Manualshelf

HP Tru64 UNIX and TruCluster Server Version 5.1B-5 Patch Summary and Release Notes (March 2009)

ManualsBrandsHP ManualsSoftwareTru64 UNIX 5.0
61626364656667686970
These packets need to have source and destination IP addresses that match the
established connection as well as the same source and destination TCP ports.
The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a
design feature of TCP. According to RFC 793, an RST or SYN attack is only possible
when the source IP address and TCP port can be forged (also called spoofed). In that
case TCP sessions, including Telnet, SSH, SFTP and HTTP may be disconnected without
warning. TCP sessions that have been disconnected can be re-established.
Normally, a TCP SYN packet (request for a new connection) that arrives on a server
using a matching IP address, port number, and matching sequence number for an
existing connection causes a TCP RST packet to be returned to the client. An attacker
can guess the proper sequence number, along with the port and IP addresses, to cause
an existing connection to be terminated with a TCP RST.
When a client is rebooted without closing an old connection to the server, a subsequent
attempt to connect to the server that matches the old connection tuple and sequence
number will require a TCP RST in order to purge the old (stale) connection.
HP has addressed these potential vulnerabilities, called TCP RST attack and TCP SYN
attack, by providing two new kernel tunable variables, tcp_rst_win (TCP RST
window) and tcp_syn_win (TCP SYN window).
These variables mitigate the TCP reset attack by reducing the window sizes in which
a TCP RST/SYN packet will be accepted by the Tru64 UNIX system.
The attributes for these variables are described in a revised sys_attrs_inet(5) reference
page included in this kit.
After the patch kit is installed, you can adjust the variables using the sysconfig and
sysconfigdb commands, as described in the following sections.
3.2.2.10.1 Adjusting the tcp_rst_win Variable
You can adjust the TCP RST window variable, tcp_rst_win, as follows:
# sysconfig -q inet tcp_rst_win
inet:
tcp_rst_win = -1
# sysconfig -r inet tcp_rst_win=2048
tcp_rst_win: reconfigured
# sysconfig -q inet tcp_rst_win
inet:
tcp_rst_win = 2048
# sysconfig -q inet tcp_rst_win /tmp/tcp_rst_win_merge
# sysconfigdb -m -f /tmp/tcp_rst_win_merge inet
# sysconfigdb -l inet
66 Tru64 UNIX Patches