COMMAND

    SYN Attack

SYSTEMS AFFECTED

    HP 9000 Series 700/800s running versions of HP-UX 9.X & 10.X

PROBLEM

    SYN attack  is a  denial of  service attack  in that  at least one
    internet port  is blocked  from legitimate  access.   The attacker
    achieves  this  by  sending  enough  packets  to targeted ports to
    completely block or severely curtail access to these ports.  These
    packets are  legal packets  in compliance  with TCP/IP  protocols,
    except that they carry faked source addresses.

    A  TCP   connection  establishment   process  normally   takes  an
    exchange  of  three  TCP  packets:   an  initial SYN packet from a
    client, a SYN-ACK packet from  a server, and a SYN-ACK-ACK  packet
    from the client.  Since the source  address of the  attacker's SYN
    packet is faked, the SYN-ACK-ACK packet will never come.

    Until  the   connection  establishment   process  times   out,   a
    disproportional amount  of system  resources are  occupied: a slot
    in the attacked port's listen queue, memory to maintain connection
    information,  and  CPU  and  network  bandwidth  to retransmit the
    SYN-ACK packet.

    A TCP  listen port  has a  finite number  of slots  in its  listen
    queue  and  normally  that  number  of  slots is relatively small.
    When  an  attacker  sends  enough  faked  SYN  packets, the listen
    queue  can   be  fully   occupied  and   subsequently  deny    any
    legitimate SYN packet from entering into the listen queue.

    This info is based on Hewlett-Packard Advisory (ID HPSBUX9704-060)

SOLUTION

    HP-UX restricts raw socket access to  root.  Raw socket is not  an
    officially supported interface for normal users on HP-UX.

    Applying the appropriate patch  (or a superseding patch)  from the
    list below  provides defense  against SYN  attacks that  reach the
    machine.

        Patch Number     Release             Hardware Platform
        ------------------------------------------------------
        PHNE_9525        9.0                 s800
        PHNE_10864       9.01                s700
        PHNE_9100        9.03, 9.05, 9.07    s700
        PHNE_9101        9.04                s800
        PHNE_9102        10.01               s700
        PHNE_9103        10.01               s800
        PHNE_9104        10.10               s700
        PHNE_9105        10.10               s800
        PHNE_9106        10.20               s700
        PHNE_9107        10.20               s800

    A system wide kernel parameter is provided to set a minimal length
    for a listen socket queue without requiring programatic change.  A
    replacement algorithm  is used  to remove  a half-open  connection
    from the listen socket queue when the listen socket queue is full.