TUCoPS :: HP/UX :: ciach050.txt

HP-UX Syn Flood Vulnerability



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                       HP-UX SYN Flood Vulnerability

May 1, 1997 23:00 GMT                                              Number H-50
PROBLEM:       A vulnerabilities have been addressed for TCP SYN flooding
               denial of service
PLATFORM:      HP-UX 9 and 10
DAMAGE:        Networked hosts can be made unavailable.
SOLUTION:      Apply patches as indicated below.
VULNERABILITY  Exploit details involving this vulnerability have been made
ASSESSMENT:    publicly available.

[ Start Hewlett-Packard Advisories ]

Document ID:  HPSBUX9704-060
Date Loaded:  970501
      Title:  SYN Flooding Security Vulnerability in HP-UX

- -------------------------------------------------------------------------
- -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------
PROBLEM:  Vulnerability to 'SYN Flood' denial of service (DOS) attack
PLATFORM: HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X

DAMAGE:   Potential denial of service for network users.

SOLUTION: If protection is needed in your environment; Apply the
           appropriate patch and enable/tune the defense mechanism.

           A white paper and tuning script are included within this
           bulletin to assist with the tuning process.

AVAILABILITY: All patches are available now.

- -------------------------------------------------------------------------
   A. Background
   B. Fixing the problem
   C. Recommended solution
   D. Impact of the patch

        Please refer to the following white paper for this information.
        The white paper also includes a shell archive containing the
        script to enable and tune the syn-flood defense mechanism.


SYN Attack And HP-UX's Solution       Rev. 1

1. Introduction

This paper explains what a SYN attack is, briefly describes
what defenses are available today, and describes the HP-UX
solution available today.  It is assumed that the reader
has a basic knowledge of TCP/IP and Socket.  In particular,
the reader is expected to know the fields in a IP header and
a TCP header, and the handshake in establishing a TCP connection.

2. What is a SYN attack?

SYN attack is a denial of service attack in that at least one
internet port is blocked from legitimate access.  The attacker
achieves this by sending enough packets to targeted ports to
completely block or severely curtail access to these ports.  These
packets are legal packets in compliance with TCP/IP protocols,
except that they carry faked source addresses.

SYN attack is one of the more severe denial of service attacks,
since every faked SYN packet can disproportionately consume
a system's resources for a disproportional amount of time.

A TCP connection establishment process normally takes an
exchange of three TCP packets:  an initial SYN packet from a
client, a SYN-ACK packet from a server, and a SYN-ACK-ACK packet
from the client. Since the source address of the attacker's SYN
packet is faked, the SYN-ACK-ACK packet will never come.

Until the connection establishment process times out, a
disproportional amount of system resources are occupied: a slot
in the attacked port's listen queue, memory to maintain
connection information, and CPU and network bandwidth to
retransmit the SYN-ACK packet.

A TCP listen port has a finite number of slots in its listen
queue and normally that number of slots is relatively small.
When an attacker sends enough faked SYN packets, the listen
queue can be fully occupied and subsequently deny any
legitimate SYN packet from entering into the listen queue.

3. What are the defenses today against a SYN attack?

The best defense is to stop it at the source.  End systems
should not allow unauthorized users or applications to
generate any faked SYN packet.  Access to raw socket interface
should be restricted to trusted users or applications.

Routers may provide a second line of defense by screening
incoming IP packets to make sure that they are actually coming
from valid sources.

Certain firewall products today also can filter off
faked IP packets.

End systems can also provide a last line of defense by
accommodating a much larger number of incoming SYN packets
and appropriately replacing those half-open connections that
have been sitting in the listen queue.

4. HP-UX's solution today

HP-UX restricts raw socket access to root.  Raw socket
is not an officially supported interface for normal
users on HP-UX.

Applying the appropriate patch (or a superseding patch) from the list
below provides defense against SYN attacks that reach the machine.

Patch Number     Release             Hardware Platform
- ------------------------------------------------------
PHNE_9525        9.0                 s800
PHNE_10864       9.01                s700
PHNE_9100        9.03, 9.05, 9.07    s700
PHNE_9101        9.04                s800
PHNE_9102        10.01               s700
PHNE_9103        10.01               s800
PHNE_9104        10.10               s700
PHNE_9105        10.10               s800
PHNE_9106        10.20               s700
PHNE_9107        10.20               s800

A system wide kernel parameter is provided to
set a minimal length for a listen socket queue without
requiring programatic change. A replacement algorithm is
used to remove a half-open connection from the listen socket
queue when the listen socket queue is full.

4.1. Setting up a SYN attack defense on HP-UX

There are a couple kernel parameters you will have to set.
A shell script called syn_defense may be used to set these
kernel parameters:  the script will modify both the core
image and the kernel file, so the modification takes place
immediately, and persists across reboots.  A copy of the
syn_defense script in the form of a shar file is attached
to the end of this paper.

1. hp_syn_protect

By default, the SYN attack defense is not turned on.
To turn it on, set hp_syn_protect to 1.  To turn it
off, set hp_syn_protect to 0.

As explained in more detail below, turning on SYN attack
defense will change the system behavior, and in a stress
condition can consume more memory and CPU resources even
if the system is not under attack.  Because only a very
small percentage of HP systems may be at risk of SYN
attacks, the SYN attack defense is not turned on by

2. so_qlimit_min

When enabled, so_qlimit_min specifies the minimum length of a
listen socket queue, applications requesting less will be given
so_qlimit_min entries.

When the socket queue limit is reached, any new incoming
TCP connection request will replace one of the pending
TCP connections in the socket queue using a HP chosen
replacement algorithm.

By default, so_qlimit_min is set to 500.  This value should
comfortably defend against an attacker using a 56K baud modem.
Consult the section below for different exposures.

4.2. Determining a right so_qlimit_min value for a system

A proper value for so_qlimit_min can be derived from the
following formula that calculates the probability of a
successful connection establishment while a system is under
a SYN attack:

    P = ((L-1)/L)^(T*R)


    P = The probability a valid SYN packet can still be processed
         and be turned into an established TCP connection while a
         system is under a SYN attack.
    L = so_qlimit_min
    T = Time in seconds that it normally takes between sending
         the SYN-ACK packet and receiving the SYN-ACK-ACK packet.
         This can be approximated by the round trip time as
         reported by the ping command.
    R = Incoming rate of SYN packets in packets per second during
         a SYN attack. To come up a number with a high confidence
         of success, a worse case estimate may be used.
         For example, the full bandwidth of a dial-up link may be
         assumed to be utilized by an attacker.  The intermediate
         routers may be assumed not to introduce any delay between
         packets. With these assumptions, the incoming rate can be
         derived from the the formula below:

         R = B/S,


         B = Bandwidth in bits/sec,
         S = SYN packet size in bits
           = (F  + IP header size  + TCP header size)*(8 + I)
           = (F  + 20 + 20)*(8 + I),


             F = Frame overhead in bytes per packet
             I = Link overhead in bits per packet byte

A formula for so_qlimit_min can be derived from the above
probability formula:

    L = 1/(1 - P^(1/(T*R)))

Following is an example showing how to estimate a desired
so_qlimit_min value.

Suppose a 70% success rate is desired during an attack
through a 56K baud SLIP dialup link. In that case,

    S= (2 + 20 + 20)*(8+2) = 420
    R= B/S = 57344/420 = 137 (round up to nearest integer)

Let  T= 1 sec.
    L= 1/(1 - .7^(1/137))
     = 385 (round up to nearest integer)

Note, in SLIP there is 1 END byte in front and 1 END byte at the end
of a packet.  Since only a ballpark number is needed, it can be
assumed that there is no END character or a SLIP ESC character
within a SYN packet itself.  It is also assumed that 1 START bit
and 1 STOP bit is used per packet byte.

The round trip time, T, is set to 1 sec. in this calculation.
To establish a round trip time for a system, one may identify
a farthest node from the system and use the ping command to
sample the round trip time between that node and the system.

4.3. What impacts are there to the system if the SYN attack
defense is turned on?

In general, there should not be any direct noticeable
performance impact under normal conditions.  However,
turning SYN attack defense on will change the system behavior.

High connection attempt rates on a listen socket will result in
some of the client applications seeing ECONNREFUSED instead of
ETIMEOUT.  Likewise, more system resources may be held by the
application than normal under these circumstances.

4.4. Memory Requirement

Amount of memory consumed by faked SYN packets during an
attack is proportional to the attack rate. The worst case
requirement can be approximated with the formula below:

    M = 32700 * R


    M = memory in bytes,
    R = Incoming SYN attack rate in packets per second

To fully protect against an attacker using a 56K baud
modem, approximately 4.3 megabytes of memory should be
added to the networking memory pool.

5 Conclusion

SYN attack is a sophisticated attack against a system attached
to TCP/IP networks.  With the technology today, an effective
defense should be a multi-layer approach, using strict access
control at the source, source screening in the intermediate
routers and firewalls, and SYN attack defense solution at the
end system.  With sufficient memory, HP-UX can provide an
effective last line of defense against a SYN attack.

#------------------------------ cut here ----------------------------------
# This is a shell archive.  Remove anything before this line,
# then unpack it by saving it in a file and typing "sh file".
# This archive contains:
#        syn_defense
# Modification/access file times will be preserved.
# Error checking via wc(1) will be performed.
# Error checking via sum(1) will be performed.
# Files are compressed using compress(1).

LANG=""; export LANG
PATH=/bin:/usr/bin:$PATH; export PATH

if sum -r </dev/null >/dev/null 2>&1

rm -f /tmp/uud$$
(echo "begin 666 /tmp/uud$$\n#;VL*n#6%@x\n \nend" | uudecode) >/dev/null 2>&1
if [ X"`cat /tmp/uud$$ 2>&1`" = Xok ]
       echo Compiling unpacker for non-ascii files
       pwd=`pwd`; cd /tmp
       cat >unpack$$.c <<'EOF'
#include <stdio.h>
#define C (*p++ - ' ' & 077)
       int n;
       char buf[128], *p, a,b;

       scanf("begin %o ", &n);

       if (freopen(buf, "w", stdout) == NULL) {

       while (gets(p=buf) && (n=C)) {
               while (n>0) {
                       a = C;
                       if (n-- > 0) putchar(a << 2 | (b=C) >> 4);
                       if (n-- > 0) putchar(b << 4 | (a=C) >> 2);
                       if (n-- > 0) putchar(a << 6 | C);
       cc -o unpack$$ unpack$$.c
       rm unpack$$.c
       cd $pwd
rm -f /tmp/uud$$

echo x - syn_defense '[compressed]'
$unpacker <<'@eof'

Attachment Converted: c:\eudora\attach\syn_defense
uncompress <syn_defense >/tmp/compress$$
mv /tmp/compress$$ syn_defense
set `sum $sumopt <syn_defense`; if test $1 -ne 33966
       echo ERROR: syn_defense checksum is $1 should be 33966
set `wc -lwc <syn_defense`
if test $1$2$3 != 3149857054
       echo ERROR: wc results of syn_defense are $* should be 314 985 7054

touch -m 0418104397 syn_defense
touch -a 0418124997 syn_defense
chmod 555 syn_defense

rm -f /tmp/unpack$$
exit 0


   E.  To subscribe to automatically receive future NEW HP
   Security Bulletins from the HP Electronic Support Center via
   electronic mail, do the following:

   User your browser to get to the HP Electronic Support
   Center page at:

   (for US, Canada, Asia-Pacific, & Latin-America)

   (for Europe)

   Click on the Technical Knowledge Database, register as a user
   (remember to save the User ID assigned to you, and your password),
   and it will connect to a HP Search Technical Knowledge DB page.
   Near the bottom is a hyperlink to our Security Bulletin archive.
   Once in the archive there is another link to our current
   security patch matrix. Updated daily, this matrix is categorized
   by platform/OS release, and by bulletin topic.

   F. To report new security vulnerabilities, send email to


      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to

     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin is
     not edited or changed in any way, is attributed to HP, and provided such
     reproduction and/or distribution is performed for non-commercial

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.

[ End Hewlett-Packard Advisories ]


CIAC wishes to acknowledge the contributions of Hewlett-Packard for the
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-notes

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-41: Solaris 2.x eject Buffer Overrun Vulnerability
H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
H-45: Windows NT SAM  permission Vulnerability
H-46: Vulnerability in IMAP and POP
H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
H-48: Internet Information Server Vulnerability
H-49: NLS Buffer Overflow Vulnerability
H-22a: talkd Buffer Overrun Vulnerability
H-29a: HP-UX sendmail Patches Vulnerability

Version: 4.0 Business Edition


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH