UNIX IP Stack µ÷ÕûÖ¸ÄÏ
BY XUNDI <°²È«½¹µã> 2001/01/08
xundi@xfocus.org
http://www.xfocus.org
ÔÎÄ:robt@cymru.com
±¾ÎĵÄÄ¿µÄÊÇΪÁ˵÷ÕûUNIX IP¶ÑÕ»ÒÔ¸üÓÐЧµÄ·ÀÖ¹ÏÖ½ñ¶àÖÖÀàÐ͵Ĺ¥»÷£¬Ïêϸ
ÃèÊöÁËһЩUNIX·þÎñϵͳÖÐÍøÂç·þÎñÈçHTTP»òÕßroutingµÄÍƼöÉèÖã¬ÆäÖÐϵͳ
°üÀ¨ÁËÈçϲ»Í¬µÄUNIX£º
A. IBM AIX 4.3.X
B. Sun Solaris 7
C. Compaq Tru64 UNIX 5.X
D. HP HP-UX 11.0 (research ongoing)
E. Linux kernel 2.2 (tested both SuSE Linux 7.0 ºÍ RedHat 7.0)
F. FreeBSD
G. IRIX 6.5.10
ÏÂÃæÐðÊöµÄһЩµ÷Õû²ÎÊýºÍ¾ä·¨ÔÚÖØÐÂÆô¶¯ºó½«²»»á×Ô¶¯¼¤»î£¬ËùÒÔÈç¹ûÄãÐèÒª
ÔÚÿ´ÎÆô¶¯µÄʱºò³¤ÆÚ±£³ÖÕâЩ²ÎÊý£¬Äã¾ÍÐèÒªÔö¼ÓÕâЩʵʱÃüÁîµ½ÈçϵÄÆô¶¯
ÎļþÖУº
AIX - /etc/rc.net
Solaris - /etc/init.d/inetinit
Tru64 UNIX - ʹÓÃsysconfigdb »òÕß dxkerneltuner ÃüÁî
HP-UX - /etc/rc.config.d/nddconf
Linux kernel 2.2 - /etc/sysctl.conf
FreeBSD - /etc/rc.conf
IRIX - ʹÓÃsystuneÃüÁî
====================================================================
ÒÔÏÂÊÇһЩIP¶ÑÕ»µ÷Õû½¨Ò飺
1£¬µ÷½ÚTCP·¢ËͺͽÓÊÜ¿Õ¼ä(TCP send and receive spaces)
TCP·¢ËͺͽÓÊܵĿռäÖ±½ÓÓ°ÏìTCP ´°¿Ú´óС²ÎÊý(TCP window size parameter),
Ò»¶¨³Ì¶ÈÉϵĴ°¿Ú´óСÔö¼ÓÓÐÖúÓÚ¸üÓÐЧµÄ´«Ê䣬ÓÈÆäÊÇһЩÐèÒª´óÊýÁ¿´«ÊäµÄ
·þÎñÈçFTPºÍHTTP£¬Ä¬ÈϵÄһЩÉèÖò»ÊÇÿ¸öϵͳ¶¼ÊÇ×îÓÅ»¯µÄ£¬Ò»°ãÎÒÃÇÐèÒª
Ôö¼ÓÕâ¸ö´°¿Ú´óСΪ32768×Ö½Ú¡£³ý·ÇÄãÉèÖõÄʱºòºÜÇå³þµÄÀí½âRFC1323(
http://www.ietf.org/rfc/rfc1323.txt?number=1323)ºÍRFC2018(http://www.
ietf.org/rfc/rfc2018.txt?number=2018),·ñÔòÄã²»Òª°ÑÕâ¸öÖµÔö¼Óµ½¸ßÓÚ64K×Ö½Ú¡£
A. AIX
/usr/sbin/no -o tcp_sendspace=32768
/usr/sbin/no -o tcp_recvspace=32768
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768
C. Tru64 UNIX
ûÓÐÍƼöµÄµ÷Õû.
D. HP-UX
ĬÈÏÇé¿öÏÂTCP·¢ËͺͽÓÊÜ¿Õ¼äÒѾÉèÖÃΪ32768.
E. Linux kernel 2.2
Linux×Ô¶¯·ÖÅäTCP·¢ËͺͽÓÊܿռ䲢ĬÈϹ²Í¬Ö§³ÖRFC1323 (large window support,
net.ipv4.tcp_window_scaling) ºÍ RFC2018 (SACK support, net.ipv4.tcp_sack).
F. FreeBSD
sysctl -w net.inet.tcp.sendspace=32768
sysctl -w net.inet.tcp.recvspace=32768
G. IRIX
ĬÈÏÇé¿öÏÂTCP·¢ËͺͽÓÊÜ¿Õ¼äÉèÖÃΪ64K×Ö½Ú.
2£¬µ÷ÕûÌ×½Ó¿ÚÐòÁзÀÖ¹SYN¹¥»÷
¸÷ÖÖÍøÂçÓ¦ÓÃÈí¼þÒ»°ã±ØÐ뿪·ÅÒ»¸ö»òÕß¼¸¸ö¶Ë¿Ú¹©Íâ½çʹÓã¬ËùÒÔÆä±Ø¶¨¿ÉÒÔ
»á±»¶ñÒâ¹¥»÷ÕßÏòÕ⼸¸ö¿Ú·¢Æð¾Ü¾ø·þÎñ¹¥»÷£¬ÆäÖÐÒ»¸öºÜÁ÷ÐеĹ¥»÷¾ÍÊÇSYN
FLOOD£¬ÔÚ¹¥»÷·¢Éúʱ£¬¿Í»§¶ËµÄÀ´Ô´IPµØÖ·ÊǾ¹ýαÔìµÄ(spoofed)£¬ÏÖÐеÄIP
·ÓÉ»úÖƽö¼ì²éÄ¿µÄIPµØÖ·²¢½øÐÐת·¢£¬¸ÃIP°üµ½´ïÄ¿µÄÖ÷»úºó·µ»Ø·¾¶ÎÞ·¨Í¨
¹ý·ÓÉ´ïµ½µÄ£¬ÓÚÊÇÄ¿µÄÖ÷»úÎÞ·¨Í¨¹ýTCPÈý´ÎÎÕÊÖ½¨Á¢Á¬½Ó¡£ÔÚ´ËÆÚ¼äÒòΪTCP
Ì×½Ó¿Ú»º´æ¶ÓÁб»Ñ¸ËÙÌîÂú£¬¶ø¾Ü¾øеÄÁ¬½ÓÇëÇó¡£ÎªÁË·ÀÖ¹ÕâЩ¹¥»÷£¬²¿·ÖUNIX
±äÖÖ²ÉÓ÷ÖÀëÈëÕ¾µÄÌ×½Ó¿ÚÁ¬½ÓÇëÇó¶ÓÁУ¬Ò»¶ÓÁÐÕë¶Ô°ë´ò¿ªÌ×½Ó¿Ú(SYN ½ÓÊÕ,
SYN|ACK ·¢ËÍ), ÁíÒ»¶ÓÁÐÕë¶ÔÈ«´ò¿ªÌ×½è¿ÚµÈ´ýÒ»¸öaccept()µ÷Óã¬Ôö¼ÓÕâÁ½¶Ó
ÁпÉÒԺܺõĻººÍÕâЩSYN FLOOD¹¥»÷²¢Ê¹¶Ô·þÎñÆ÷µÄÓ°Ïì¼õµ½×îС³Ì¶È£º
A. AIX
/usr/sbin/no -o clean_partial_conns=1
Õâ¸öÉèÖûáָʾÄÚºËËæ»úµÄ´Óq0¶ÓÁÐÖÐÈ¥µô°ë´ò¿ªÌ×½Ó¿ÚÀ´ÎªÐµÄÌ×½Ó¿ÚÔö¼Ó
ËùÐè¿Õ¼ä¡£
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
ʹq ¶ÓÁÐÓµÓнӿڵȴýÀ´×ÔÓ¦ÓóÌÐòµÄaccept()µ÷ÓÃ.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048
ʹq0 ¶ÓÁÐÄÜά»¤°ë´ò¿ªÌ×½Ó¿Ú.
C. Tru64 UNIX
/sbin/sysconfig -r socket sominconn=65535
Õâ¸ösominconnµÄÖµ¾ö¶¨ÁËϵͳÄÜͬʱ´¦Àí¶àÉÙ¸öÏàͬµÄ½øÈëµÄSYNÐÅÏ¢°ü.
/sbin/sysconfig -r socket somaxconn=65535
Õâ¸ösomaxconnÖµÉèÖÃÁËϵͳÄܱ£Áô¶àÉÙ¸ö´ý´¦ÀíTCPÁ¬½Ó.
D. HP-UX
/usr/sbin/ndd -set tcp_syn_rcvd_max 1024
/usr/sbin/ndd -set tcp_conn_request_max 200
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
ÓÐЧµÄÔö¼Óq0µÄÌ×½Ó¿Ú¶ÓÁдóС.
/sbin/sysctl -w net.ipv4.tcp_syn_cookies=1
ÆôÓÃTCP SYN cookiesÖ§³Ö,ÄÜÓÐЧµÄ¼õÇáSYN FLOODµÄ¹¥»÷£¬µ«ÊÇÕâ¸ö²ÎÊý»á¶ÔһЩ
´óµÄ´°¿ÚÒýÆðһЩÐÔÄÜÎÊÌâ(²Î¿´RFC1323 and RFC2018.
F. FreeBSD
sysctl -w kern.ipc.somaxconn=1024
G. IRIX
listen()¶ÓÁб»Ó²ÐÔÉèÖÃΪ32.µ«ÊÇϵͳʵ¼Ê²ÉÓôý´¦ÀíÁ¬½ÓÊýΪ((3 * backlog) / 2) + 1£¬
ÆäÖеÄbacklogÊýÖµ×î´óֵΪ49.
3£¬µ÷ÕûRedirects²ÎÊý
¶ñÒâÓû§¿ÉÒÔʹÓÃIPÖض¨ÏòÀ´ÐÞ¸ÄÔ¶³ÌÖ÷»úÖеÄ·ÓÉ±í£¬ÔÚÉè¼ÆÁ¼ºÃµÄÍøÂçÖУ¬
Ä©¶ËµÄÖض¨ÏòÉèÖÃÊDz»ÐèÒªµÄ£¬·¢ËͺͽÓÊÜÖض¨ÏòÐÅÏ¢°ü¶¼Òª¹Ø±Õ¡£
A. AIX
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0
B. Solaris
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
C. Tru64 UNIX
ûÓÐÍƼöµÄµ÷ÕûÉèÖÃ.
D. HP-UX
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
F. FreeBSD
sysctl -w net.inet.icmp.drop_redirect=1
sysctl -w net.inet.icmp.log_redirect=1
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet6.ip6.redirect=0
G. IRIX
/usr/sbin/systune icmp_dropredirects to 1
4,µ÷ÕûARPÇåÀíÉèÖÃ
ͨ¹ýÏòIP·ÓÉ»º³åÌî³äαÔìµÄARPÌõÄ¿¿ÉÒÔÈöñÒâÓû§²úÉú×ÊÔ´ºÄ½ßºÍÐÔÄܼõµÍ
¹¥»÷¡£ÔÚSolarisÖУ¬ÓÐ2¸ö²ÎÊý¿ÉÒÔ¹ÜÀí¼ä¸ôµÄÇåÀíIP·ÓÉ»º³å£¬Õë¶ÔδÇëÇóµÄ
ARPÏìÓ¦¿ÉÒÔͨ¹ýarp_cleanup_intervalµ÷Õû£¬AIX¿ÉÒÔͨ¹ýartp_killcÀ´ÉèÖá£
A. AIX
/usr/sbin/no -o arpt_killc=20
B. Solaris
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
C. Tru64 UNIX
ûÓвο¼µÄµ÷ÕûÉèÖÃ.
D. HP-UX
ĬÈÏÉèÖÃΪ5·ÖÖÓ.
E. Linux kernel 2.2
ûÓвο¼µÄµ÷ÕûÉèÖÃ.
F. FreeBSD
sysctl -w net.link.ether.inet.max_age=1200
G. IRIX
ûÓвο¼µÄµ÷ÕûÉèÖÃ.
5,µ÷ÕûԴ·ÓɵÄÉèÖÃ
ͨ¹ýԴ·ÓÉ£¬¹¥»÷Õß¿ÉÒÔ³¢ÊÔµ½´ïÄÚ²¿IPµØÖ· --°üÀ¨RFC1918ÖеĵØÖ·£¬ËùÒÔ
²»½ÓÊÜԴ·ÓÉÐÅÏ¢°ü¿ÉÒÔ·ÀÖ¹ÄãµÄÄÚ²¿ÍøÂ类̽²â¡£
A. AIX
/usr/sbin/no -o ipsrcroutesend=0
¹Ø±ÕԴ·ÓÉÐÅÏ¢°ü·¢ËÍ.
/usr/sbin/no -o ipsrcrouteforward=0
Èç¹ûÄãÕâ¸öϵͳҪ×ö·Óɹ¤×÷Èç·À»ðǽ£¬Õâ¸ö²ÎÊý¾ÍºÜÖØÒª£¬¹Ø±ÕÕâ¸öÌØÕ÷¾Í
¿ÉÒԺܺõķÀֹת·¢Ô´Â·ÓÉÐÅÏ¢°ü.
B. Solaris
/usr/sbin/ndd -set /dev/ip ip_src_route_forward 0
Èç¹ûÄãÕâ¸öϵͳҪ×ö·Óɹ¤×÷Èç·À»ðǽ£¬Õâ¸ö²ÎÊý¾ÍºÜÖØÒª£¬¹Ø±ÕÕâ¸öÌØÕ÷¾Í
¿ÉÒԺܺõķÀֹת·¢Ô´Â·ÓÉÐÅÏ¢°ü.
C. Tru64 UNIX
ûÓÐÍƼöµÄµ÷Õû.
D. HP-UX
ndd -set /dev/ip ip_forward_src_routed 0
¹Ø±ÕÕâ¸öÌØÕ÷¾Í¿ÉÒԺܺõķÀֹת·¢Ô´Â·ÓÉÐÅÏ¢°ü.
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
¶ªÆúËùÓÐÔ´µØÖ·ÐÅÏ¢°ü.
/sbin/sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
²»×ª·¢Ô´Â·ÓÉÖ¡.
F. FreeBSD
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0
G. IRIX
/usr/sbin/systune ipforward to 2
6. µ÷ÕûTIME_WAIT setting ÉèÖÃ
ÔÚһЩ±È½Ï·±Ã¦µÄWEB·þÎñÆ÷ÉÏ£¬Ðí¶àÌ×½Ó¿Ú¿ÉÄܾʹ¦ÓÚTIME_WAIT״̬£¬ÕâÊÇ
ÓÉÓÚһЩ²»Õý¹æ±àÂëµÄ¿Í»§¶ËÓ¦ÓóÌÐòûÓкÜÕýÈ·µÄ´¦ÀíÌ×½Ó¿ÚËùÒýÆðµÄ£¬Õâ
¾Í¿ÉÄÜÒýÆðÈçDDOSµÄ¹¥»÷¡£
A. AIX
ûÓÐÍƼöÉèÖÃ.
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
Õâ¸ö²ÎÊýÓ°ÏìÁËTCPÌ×½Ó¿Ú±£³ÖTIME_WAIT״̬µÄʱ¼äÊý£¬Ä¬ÈÏÇé¿ö϶ÔÓÚÒ»¸ö
·±Ã¦µÄWEB·þÎñÆ÷Ì«¸ßÁË£¬ËùÒÔÐèÒªÉèÖõ½µÍÓÚÿ60Ã룬Õâ¸ö²ÎÊýÃû×ÖÊÊÓÃÓë
Solaris7»òÕ߸ü¸ßµÄ°æ±¾£¬ÔÚSolaris 7֮ǰµÄ°æ±¾£¬ÆäÃû×Ö²»ÕýÈ·
µÄ±íʶΪtcp_close_wait_interval.
C. Tru64 UNIX
ûÓÐÍƼöµÄµ÷ÕûÉèÖÃ.
D. HP-UX
ndd -set /dev/tcp tcp_time_wait_interval 60000
Ì×½Ó¿Ú½«±£³ÖTIME_WAIT״̬²»³¬¹ý60Ãë.
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.vs.timeout_timewait=60
Ì×½Ó¿Ú½«±£³ÖTIME_WAIT״̬²»³¬¹ý60Ãë.
F. FreeBSD
ûÓÐÍƼöµÄµ÷ÕûÉèÖÃ.
G. IRIX
/usr/sbin/systune tcp_2msl to 60
7£¬µ÷Õû¹ã²¥ECHOÏìÓ¦
Smurf¹¥»÷¾ÍÊÇÒ»¸öαÔìµÄµØַͨ¹ý·¢ËÍICMP 8 0 (ECHO REQUEST) ÐÅÏ¢µ½Ò»¸ö¹ã
²¥µØÖ·£¬Ò»Ð©IP¶ÑջĬÈÏÇé¿öÏ»áÏìÓ¦ÕâЩÐÅÏ¢£¬ËùÒÔ±ØÐë¹Ø±ÕÕâ¸öÌØÕ÷¡£Èç¹û
Õâ¸öÖ÷»ú×÷Ϊ·À»ðǽʹÓÃ(router)£¬¹Ø±ÕÕâ¸öÌØÕ÷¾Í²»ÄÜ´¦Àí´¦Àí¹ã²¥¡£
A. AIX
/usr/sbin/no -o directed_broadcast=0
²»ÏìÓ¦Ö±½Ó¹ã²¥.
B. Solaris
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
²»ÏìÓ¦Ö±½Ó¹ã²¥.
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
²»×ª·¢Ö±½Ó¹ã²¥.
C. Tru64 UNIX
ûÓÐÍƼöµ÷ÕûÉèÖÃ.
D. HP-UX
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
²»ÏìÓ¦Ö±½Ó¹ã²¥.
ndd -set /dev/ip ip_forward_directed_broadcasts 0
²»×ª·¢Ö±½Ó¹ã²¥.
E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
²»ÏìÓ¦Ö±½Ó¹ã²¥.
F. FreeBSD
sysctl -w net.inet.icmp.bmcastecho=0
G. IRIX
/usr/sbin/systune allow_brdaddr_srcaddr to 0
8£¬Õë¶ÔÆäËû¹ã²¥Ì½²âµÄµ÷Õû
ÆäËû»¹ÓÐ2¸ö¹ã²¥Ì½²â¿ÉÒÔÈöñÒâÓû§ÀûÓã¬Ò»¸ö¾ÍÊǵØÖ·ÑÚÂë²éѯ¿ÉÒÔÓÃÀ´Ì½²â
ÍøÂç¶Î´óСºÍ·¶Î§¡£Ê±¼ä´Á¹ã²¥¿ÉÒÔÓ³ÉäºÍ¼ø¶¨Ö÷»úÀàÐÍ¡£
A. AIX
/usr/sbin/no -o icmpaddressmask=0
·ÀÖ¹µØÖ·ÑÚÂê²éѯ.
B. Solaris
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
·ÀÖ¹µØÖ·ÑÚÂê²éѯ.
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
¹Ø±Õ¶Ôʱ¼ä´Á¹ã²¥Ñ¯ÎʵÄÏìÓ¦.
C. Tru64 UNIX
ûÓÐÍƼöµÄµ÷Õû.
D. HP-UX
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
·Àֹй¶Ö÷»úÅäÖõÄÍøÂçÑÚÂë.
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
¹Ø±Õ¶Ôʱ¼ä´Á¹ã²¥Ñ¯ÎʵÄÏìÓ¦.
E. Linux kernel 2.2
ûÓÐÍƼöµÄµ÷Õû.
F. FreeBSD
sysctl -w net.inet.icmp.maskrepl=0
G. IRIX
ʹÓÃipfilterd À´×èÈû²»ÐèÒªµÄICMPÀàÐÍ.
9£¬µ÷Õû²ÎÊýÒÔÖ§³ÖRFC1948
ÏÂÃ漸¸öµ÷Õû»áÀûÓÃRFC1948(http://www.ietf.org/rfc/rfc1948.txt?number=1948)
TCP/IPÐòÁкŲúÉú¼¼ÊõÀ´±£Ö¤¸øÒ»¸öTCP Ì×½Ó¿ÚµÄÐòÁкÅÂë·Ç³£ÄѲ²⣺
B. Solaris
Set TCP_STRONG_ISS=2 in /etc/default/inetinit.
ÕâÐèÒªÖØÐÂÆô¶¯²ÅÄÜʹÄÜ.
G. IRIX
/usr/sbin/systune tcpiss_md5 to 1