티스토리 뷰
훈련 시스템에 접속하기 위한 아이디와 패스워드는 아래와 같습니다.
Question 20
> 훈련 시스템 접속 주소 : 118.216.64.54
> 해당 아이디(ID) : level20
> 해당 패스워드(PW) : passwd=20
운영중인 solaris시스템의 콘솔 로그에 어느날 갑자기 WARNING message가
출력되고 있다. 시스템의 상태를 점검해본결과 SYN_RECEIVED상태의 소켓
(half-open sockets)의 갯수가 급속히 증가하고 있다.
시스템의 crash를 막기위해서는 긴급히 IP stack tunning을 통하여
half-open socket의 갯수를 줄여야 한다.
적절한 시스템 명령을 통하여 halk-open socket의 갯수를 512로 제한하시오.
Solution
System (port 88) maybe under a SYN flood attack
# Wed Nov 16 01:03:15 2011 sol2 unix: WARNING: HIGH TCP connect timeout rate!
System (port 88) maybe under a SYN flood attack
Wed Nov 16 01:04:15 2011 sol2 unix: WARNING: HIGH TCP connect timeout rate!
System (port 88) maybe under a SYN flood attack
#
# ndd -set /dev/tcp tcp_conn_req_max_q0 512
/dev/tcp tcp_conn_req_max_q0 512
# finish
Description
UNIX IP Stack Tunning Guide v2.7
출처 : http://www.cymru.com/Documents/ip-stack-tuning.html
2. Socket queue defense against SYN attacks
While great effort is undertaken to defend any network from those with malicious intent, several ports (largely TCP) must remain open to conduct business. Internet vandals may attempt to exploit these ports to launch a denial of service attack. One of the most popular attacks remains the SYN flood, wherein the socket queue of the attacked host is overwhelmed with bogus connection requests. To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server.
A. AIX
/usr/sbin/no -o clean_partial_conns=1
This setting will instruct the kernel to randomly remove half-open sockets from the q0 queue to make room for new sockets.
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
The q queue holds sockets awaiting an accept() call from the application.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048
The q0 queue contains half-open sockets.
C. Tru64 UNIX
/sbin/sysconfig -r socket sominconn=65535
The value of sominconn determines how many simultaneous incoming SYN packets can be handled by the system.
/sbin/sysconfig -r socket somaxconn=65535
The value of somaxconn sets the maximum number of pending TCP connections.
D. HP-UX
/usr/sbin/ndd -set tcp_syn_rcvd_max 1024
/usr/sbin/ndd -set tcp_conn_request_max 200
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
Increases the size of the socket queue (effectively, q0).
/sbin/sysctl -w net.ipv4.tcpsyn_cookies=1
Enables support for TCP SYN cookies, which mitigates the effectiveness of SYN floods. However, this may cause performance problems for large windows (see RFC1323 and RFC2018). To read more about SYN cookies, please review DJ Bernstein's paper here.
F. FreeBSD
sysctl -w kern.ipc.somaxconn=1024
G. IRIX
The listen() queue is hardcoded to 32. However, the system actually enforces the limit of pending connections as ((3 * backlog) / 2) + 1. This yields a maximum backlog of 49 connections.
Question 20
> 훈련 시스템 접속 주소 : 118.216.64.54
> 해당 아이디(ID) : level20
> 해당 패스워드(PW) : passwd=20
운영중인 solaris시스템의 콘솔 로그에 어느날 갑자기 WARNING message가
출력되고 있다. 시스템의 상태를 점검해본결과 SYN_RECEIVED상태의 소켓
(half-open sockets)의 갯수가 급속히 증가하고 있다.
시스템의 crash를 막기위해서는 긴급히 IP stack tunning을 통하여
half-open socket의 갯수를 줄여야 한다.
적절한 시스템 명령을 통하여 halk-open socket의 갯수를 512로 제한하시오.
Solution
System (port 88) maybe under a SYN flood attack
# Wed Nov 16 01:03:15 2011 sol2 unix: WARNING: HIGH TCP connect timeout rate!
System (port 88) maybe under a SYN flood attack
Wed Nov 16 01:04:15 2011 sol2 unix: WARNING: HIGH TCP connect timeout rate!
System (port 88) maybe under a SYN flood attack
#
# ndd -set /dev/tcp tcp_conn_req_max_q0 512
/dev/tcp tcp_conn_req_max_q0 512
# finish
Description
UNIX IP Stack Tunning Guide v2.7
출처 : http://www.cymru.com/Documents/ip-stack-tuning.html
2. Socket queue defense against SYN attacks
While great effort is undertaken to defend any network from those with malicious intent, several ports (largely TCP) must remain open to conduct business. Internet vandals may attempt to exploit these ports to launch a denial of service attack. One of the most popular attacks remains the SYN flood, wherein the socket queue of the attacked host is overwhelmed with bogus connection requests. To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server.
A. AIX
/usr/sbin/no -o clean_partial_conns=1
This setting will instruct the kernel to randomly remove half-open sockets from the q0 queue to make room for new sockets.
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
The q queue holds sockets awaiting an accept() call from the application.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048
The q0 queue contains half-open sockets.
C. Tru64 UNIX
/sbin/sysconfig -r socket sominconn=65535
The value of sominconn determines how many simultaneous incoming SYN packets can be handled by the system.
/sbin/sysconfig -r socket somaxconn=65535
The value of somaxconn sets the maximum number of pending TCP connections.
D. HP-UX
/usr/sbin/ndd -set tcp_syn_rcvd_max 1024
/usr/sbin/ndd -set tcp_conn_request_max 200
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
Increases the size of the socket queue (effectively, q0).
/sbin/sysctl -w net.ipv4.tcpsyn_cookies=1
Enables support for TCP SYN cookies, which mitigates the effectiveness of SYN floods. However, this may cause performance problems for large windows (see RFC1323 and RFC2018). To read more about SYN cookies, please review DJ Bernstein's paper here.
F. FreeBSD
sysctl -w kern.ipc.somaxconn=1024
G. IRIX
The listen() queue is hardcoded to 32. However, the system actually enforces the limit of pending connections as ((3 * backlog) / 2) + 1. This yields a maximum backlog of 49 connections.
UNIX IP Stack Tunning Guide v2.7.pdf'Study > System' 카테고리의 다른 글
| [네트워크 보안] Q.31 -> TCP_Wrapper를 통한 접근제어 설정 문제 (0) | 2011.11.16 |
|---|---|
| [네트워크 보안] Q.23 -> smurf의 증폭사이트로 이용되는 것을 막기 위한 설정 문제 (0) | 2011.11.16 |
| [네트워크 보안] Q.19 -> 특정 source IP 패킷 차단 문제 (0) | 2011.11.15 |
| [네트워크 보안] Q.17 -> iptable의 패킷 필터링 설정 문제 (0) | 2011.11.15 |
| [네트워크 보안] Q.16 -> IP 정보제한을 위한 zone transfer 설정 문제 (0) | 2011.11.15 |
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
TAG
- ${1##*.}
- MySQL csv
- editcap
- history timestamp
- docker
- text2pcap
- 도커
- pcapng
- 리눅스 버전
- ssl decrypt
- dvwa
- mergecap
- bash modification
- docker_dvwa
- 윈도우 패스워드 복구
- oracle 11gr2
- metasploitable3
- capinfos
- bash parameter
- webhack
- tcpdstat
- cisco ssh
- dvwa_bruteforce
- recovery file on linux
- megacli
- excel_aton
- tshark
- dvwa_command
- filesystem check
- NX ASLR
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
글 보관함