Technical Document # - 10271916
____________________________________________________________
Family: LAN
Product: TCP/IP
Release: 3.1, 4.0, 4.1
Syslevel:
Last Updated: 10/30/97
____________________________________________________________
TITLE
How to Protect Against SYNFLOOD or SYNATTACK
DESCRIPTION
During the past few years, there have been programs written to basically kill or shutdown a TCP/IP connection on a machine that is connected to the internet. The end result of these programs is that your TCP/IP connection is disabled. This has been called by different names; for example, Ping of Death, SYNFLOOD, and SYNATTACK.
Background Information:
In a normal TCP session, when you try to establish a TCP connection, the machine sends out a SYN flag to establish the connection; the receiving machine then sends back a SYN/ACK, acknowledging the request and assigning a specific TCP port to that connection. If the sending machine agrees, another ACK is sent to tell the receiving machine that it agrees to the connection (a three-way handshake).
During a SYNFLOOD or SYNATTACK, multiple SYN flags are sent out with an invalid return IP address. A machine receives these requests, sends a SYN/ACK acknowledgement and assigns a TCP port to the connection. Since the return IP address was invalid, no return ACK is ever received, and the TCP port is never released. The machine keeps attempting to acknowledge the invalid SYN flags, and eventually, all of the TCP ports on the system are disabled, and the TCP connection is shut down.
RESOLUTION
To protect a TCP/IP 4.1 system:
The ability to protect against this type of attack is built in to TCP/IP 4.1. To enable this protection:
1. To GET the current status of the SYNATTACK parameter in the INETCFG.INI file,
go to an OS/2 command line and type:
INETCFG -G SYNATTACK, then press Enter.
2. By default, SYNATTACK is set to 0, which means OFF.
3. To SET the SYNATTACK parameter in the INETCFG.INI file to an ON state, (1),
type the following at an OS/2 command line:
INETCFG -S SYNATTACK 1
4. This new setting in TCP/IP 4.1 will now prevent the SYNATTACK from occurring.
To protect a TCP/IP 4.0 system (OS/2 Warp 4):
To add this protection to a TCP/IP 4.0 system;
1. Apply MPTS CSD (Corrective Service Diskettes) WR08415 or greater.
2. Apply the fix for APAR (Authorized Program Analysis Report) IC18755.
This APAR replaces the SOCKETS.SYS file and adds a new SYNDEF.EXE file,
which allows you to enable or disable the SYN defenses.
The following options are available for this program:
SYNDEF.EXE ON (enables SYN defenses)
SYNDEF.EXE OFF (disables SYN defenses)
SYNDEF.EXE -? (displays SYNDEF syntax)
Note: For earlier versions of TCP/IP, apply MPTS CSD WR08415 to update
the TCP/IP stack to 4.0, then continue with the steps to protect
TCP/IP 4.0 systems.
Document Info
Related Docs:
__________________________________________________________________________________________________________________________________
IBM disclaims all warranties, whether express or implied, including without limitation, warranties of fitness and merchantability with respect to the information in this document. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright (c) 1994, 1996 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
__________________________________________________________________________________________________________________________________