Google Answers Logo
View Question
 
Q: This is just for bikerman-ga... ( Answered 5 out of 5 stars,   0 Comments )
Question  
Subject: This is just for bikerman-ga...
Category: Computers > Operating Systems
Asked by: mrexcessive-ga
List Price: $15.00		 Posted: 22 Oct 2002 04:27 PDT
Expires: 21 Nov 2002 03:27 PST
Question ID: 86397 
Hi bikerman-ga... sorry I couldn't find out how to get in touch...
haven't used answers.google before and their support couldn't think of
a better way for me to get in touch than create another question just
for you.

I've upped price to $15, my apologies for the inconvenience caused!
Answer  
Subject: Re: This is just for bikerman-ga...
Answered By: bikerman-ga on 23 Oct 2002 05:32 PDT
Rated:5 out of 5 stars		  
Hello, again.

No inconvenience--I'm glad to have the opportunity to finish answering
the question.  I have learned quite a bit answering this question,
and hope you find the information helpful.

It does in fact appear that your kernel version is subject to the
security hole if syncookies are enabled.  Redhat security advisory
RHSA-2001:142-15 addresses the problem and also gives a nice
description of what syncookies do.  Here is the URL to the
advisory:

http://rhn.redhat.com/errata/RHSA-2001-142.html

The good news is that you don't need to compile your own kernel,
but can use RPM to install the one Redhat provides.  If you have
never installed a kernel via RPM, please be sure to read
"Upgrading the Linux Kernel on Red Hat Linux systems".  This
document is located at

http://www.redhat.com/support/resources/howto/kernel-upgrade/

Upgrading the kernel via RPM isn't at all difficult, but you have
to be careful to follow the procedure outlined in the HOWTO above,
or you might end up with an unbootable system.

To turn on syncookies immediately, you can run the following
command (as root):

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Likewise, you can check to see if syncookies are enabled by
running

$ cat /proc/sys/net/ipv4/tcp_syncookies

Since the results of the "echo" command will only remain effective
until you re-boot, you need a way to make the change stick.  There
are two ways to accomplish this, but I prefer the first:

1) Add the following line in /etc/sysctl.conf:
net.ipv4.tcp_syncookies=1

2) Add the following line to your rc.local script (on Redhat 7.1,
this script is /etc/rc.d/rc.local):
/bin/echo 1 > /proc/sys/net/ipv4/tcp_syncookies

There have been reports of machines with syncookies enabled
behaving strangely, but others haven't had any problems--you'll
just have to try it for yourself.  Here's a very informative
posting regarding syncookies on a LinuxChix mailing list:

http://mailman.linuxchix.org/pipermail/courses/2002-April/000433.html

If you decide that you don't like syncookies, you could set up a
firewall rule which blocks the offending IP.  I'm not a firewall
guru, but it seems to me that this would at least hamper the
attack.  Since the SYN flooding attack relies on a spoofed source
address, it shouldn't cause any problems to block the address.
However, if the attacker is persistent, they could just pick
another invalid address.  See the additional links section below
for links to information on setting up a firewall with both
IPChains and IPTables (if you don't upgrade to the 2.4 series
kernels, you'll be stuck with IPChains).


Additional Links:

The IPCHAINS HOWTO
http://www.netfilter.org/ipchains/HOWTO.html 

The Firewall-HOWTO
http://www.tldp.org/HOWTO/Firewall-HOWTO.html

The Netfilter/IPTables homepage
http://www.netfilter.org/

The netfilter homepage also hosts information on the older
ipchains:
http://www.netfilter.org/ipchains/

Network Computing has an informative article on SYN flooding:
http://www.networkcomputing.com/unixworld/security/004/004.txt.html

Linux Magazine has an article titled "Keeping the TCP/IP Stream
Flowing" describing SYN attacks, among other things.  It was
written by Paul "Rusty" Russell, the initial author and head
maintainer of the Linux netfilter code.
http://www.linux-mag.com/1999-08/bestdefense_01.html

The Linux Firewall and Security Site has many useful firewalling
links:
http://www.linux-firewall-tools.com/linux/

The CERT advisory regarding SYN flooding:
http://www.cert.org/advisories/CA-1996-21.html

Daniel Bernstein, the inventor of SYN cookies (and also the author
of the qmail MTA), has a page about SYN cookies here:
http://cr.yp.to/syncookies.html

The Linux Documentation Project:
http://www.tldp.org


Search Strategy:

Google search terms:

redhat  SYN_RECV
://www.google.com/search?q=redhat++SYN_RECV&hl=en&lr=&ie=UTF-8&start=10&sa=N

linux tcp syn flooding
://www.google.com/search?q=linux%20tcp%20syn%20flooding&sourceid=opera&num=0

linux tcp syn flooding ipchains OR iptables
://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=linux+tcp+syn+flooding+ipchains+OR+iptables&btnG=Google+Search


Good luck and happy Linuxing!
bikerman-ga
mrexcessive-ga rated this answer:5 out of 5 stars 
bikerman-ga has provided complete and well qualified support, most
useful and educational.

Comments  
There are no comments at this time.
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy