Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!news.uoregon.edu!news-peer.gsl.net!news.gsl.net!howland.erols.net!newsfeed.internetmci.com!in3.uu.net!omega.metrics.com!omega.metrics.com!not-for-mail
From: polk@BSDI.COM
Newsgroups: comp.unix.bsd.bsdi.announce
Subject: PATCHES: New OFFICIAL patches for BSD/OS 2.1
Followup-To: comp.unix.bsd.bsdi.misc
Date: 4 Oct 1996 10:09:22 -0400
Organization: BSDI
Lines: 274
Sender: tomh@omega.metrics.com
Approved: tomh@metrics.com
Message-ID: <5335qi$lka@omega.metrics.com>
NNTP-Posting-Host: omega.metrics.com
There are several new patches available from the patches
server or via the ftp archive at;
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1
All of the README file entries are appended at the bottom
of this message. The patches are U210-024, U210-025, U210-026,
K210-021, K210-022, and K210-023. The kernel patches depend
on the K210-019 performance patch which is now available to all
BSDI 2.1 customers via anonymous ftp (it had previously only
been available for customers with valid support contracts).
As usual, the md5 signatures are in the README entries
and the pgp signatures are in the signatures subdirectory of
the patches directory.
The first of the utilities patch (U210-024) has been available
from the servers since Sept. 18, but has not been announced until
now -- it updates sendmail to version 8.7.6 thus closing the
holes referenced in CERT advisory CA-96.20.
The third utilities patch (U210-026) replaces the shared libc
library and closes a hole in the resolver library routines which
has seen discussion recently in various security related forums.
The third kernel patch (K210-023) updates the de(4)
DEC PCI ethernet ethernet driver to include support for the
DE500-AA version and fixes several bugs.
The remainder of the patches (K210-021, K210-022, and U210-025)
add support for IP source checking, and for reducing and/or
eliminating problems associated with SYN attacks, IP fragment
attacks, and some other denial of service/looped server attacks.
IP source address verification is a valuable tool for protecting
against some forms of IP-spoofing as described in CERT advisory CA
96.21, "TCP SYN Flooding and IP Spoofing Attacks". The full text
of this advisory is available as:
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
If you are a service provider, using IP source verification will
protect your customers against attacks from the Internet which
appear to be coming from your customers' networks, and it will
ensure that packets sent from your customers' networks have a source
address on your customers' networks (preventing them from spoofing
source addresses and/or attacking others).
Jeff
--
/\ Jeff Polk Berkeley Software Design, Inc. (BSDI)
/\/ \ polk@BSDI.COM 5575 Tech Center Dr. #110, Colo Spgs, CO 80919
===================================================================
PATCH:
K210-019
SUMMARY:
This patch adds several TCP performance enhancements.
o PCB hashing
o Optimized delayed ACK processing
o Optimized TIME-WAIT state processing
o Initial congestion window fixes
o Eliminate sending small packets when more data is
waiting to be copied from the application, but
don't delay them unnecessarily when there isn't.
This patch also includes a new kernel config option,
INET_SERVER. Turning on this option will cause the
PCB hashing code to use a much larger hash table.
Typically this would be useful on busy WEB servers.
md5 checksum: 9527c357be5a70f718236073a66fad94 K210-019
===================================================================
PATCH:
K210-021
SUMMARY:
This patch adds two networking features that can help defeat
and detect some types of denial of service attacks.
The first feature is a limit on the number of fragmented IP
packets in the IP reassembly queue. The default limit is 200
and can be changed with the sysctl(8) variable
"net.inet.ip.maxfragpackets". To change the limit of the
number of packets on the IP reassembly queue add a command
like the following to the end of /etc/netstart. This example
would reduce the limit on outstanding fragments to 100:
sysctl -w net.inet.ip.maxfragpackets=100
The second feature is an optional test to insure that packets
are received on the expected interface. This feature looks up
the route back to the source of received IP packets. If there
is no route to the source available, or the packet did not
arrive on the expected interface the packet is discarded. The
expected interface is the one that would be used to send a
packet back to the reported source of the packet.
IP source address verification should not be used when
concurrent alternate paths exist from the BSD/OS system where
this feature is enabled, as this may cause valid packets to be
discarded. For example, a small ISP that has one connection to a
backbone network and one connection to each of it's clients
could enable this feature. If the same ISP has two
connections to a backbone network, or one connection to each
of two backbone networks they should not enable this feature.
IP source address verification is a valuable tool for
protecting against some forms of IP-spoofing as described in
CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing
Attacks". The full text of this advisory is available as
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding.
If you are a service provider, using IP source verification
will protect your customers against attacks from the Internet
which appear to be coming from your customers' networks, and
it will ensure that packets sent from your customers' networks
have a source address on your customers' networks (preventing
them from spoofing source addresses and/or attacking others).
This feature is enabled via the "net.inet.ip.sourcecheck"
sysctl(8) variable or by adding the "IPSOURCECHECK" option
when building a kernel. For example, to enable IP source
address verification, add the following command to the end of
/etc/netstart:
sysctl -w net.inet.ip.sourcecheck=1
The IP source address verification code will log a message
when discarding a packet. To prevent a large number of
these packets from using an excessive amount of disk space
log messages are limited to one per IP address per time
interval. The time interval defaults to five seconds and
may be configured with the "net.inet.ip.sourcecheck_logint"
sysctl(8) variable. A value of zero disables the time
interval.
This patch requires U210-025 which provides new copies of
sysctl(8) and netstat(1) for configuration and monitoring of
these new features.
md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021
===================================================================
PATCH:
K210-022
SUMMARY:
This patch adds a TCP SYN cache. When a large number of
SYN packets arrive for the same TCP port, the old code would
drop the excess SYN packets, assuming that they will be
retransmitted and that the current 1/2 open connections
will soon be completed and removed from the queue.
However, due to one-way and/or long paths, or malicious
intent, the queue can become clogged with 1/2 open connections
that will never complete, preventing any valid connections
from being established.
With the SYN cache, when the accept queue overflows a
minimal amount of state is stored in the SYN cache, and
a SYN,ACK response is sent. If a valid ACK comes back,
a complete connection is created. If there is no route
or a TCP RST or ICMP Unreachable comes back, the entry
is deleted. Otherwise, the entries will just time out.
There are several new sysctl entries. Note that they
should not be changed unless there is evidence that the
default values are not adequate.
o net.inet.tcp.syn_cache_limit
This specifies the maximum number of entries
that may be held into the SYN cache.
o net.inet.tcp.syn_bucket_limit
This specifies the maximum number of entries
that may be held in any individual hash bucket
of the SYN cache.
o net.inet.tcp.syn_cache_interval
This specifies in 0.5 second increments, how
often the timeout routine for the SYN cache
should be run.
The default maximum cache size is 10255, with a hash
table size of 293 and a maximum per bucket limit of
105 (10255 = 293*35, 105 = 3*35). If INET_SERVER
is defined, the default maximum cache size is 34895,
a hash table size of 997, and a per bucket limit of
105 (34895 = 997*35, 105 = 3*35).
md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022
===================================================================
PATCH:
K210-023
SUMMARY:
Synchronize de driver with latest stable version from Matt
Thomas. Includes support for the DE500-AA and fixes several
bugs, one of which caused systems to hang or corrupt packets
under heavy network load. This version of the driver does
NOT add support for the Znyx 346 multiport card or the
SMC9332BDT (the follow on to the EtherPower 10/100); the
SMC9332BDT is recognized as an SMC 8432BA and does not
operate.
Note: This driver supports sharing interrupts on the PCI bus
but an problem in 2.1 (unrelated to the de driver) causes
a warning message to be generated at boot time when interrupts
are shared. This message is benign as long as the drivers
sharing the interrupt are written to share interrupts.
md5 checksum: f9322e8e2cfba4a6862e59896f2ce3a3 K210-023
===================================================================
PATCH:
U210-024
SUMMARY:
This patch updates sendmail to the official 8.7.6 release which
fixes some security problems from previous versions including
those in the CA-96.20 CERT advisory and a recent Bugtraq posting.
md5 checksum: baa7f3139d40c95f42f4f30725339314 U210-024
===================================================================
PATCH:
U210-025
SUMMARY:
This patch should be installed in conjunction with IP source
address check and IP fragmentation queue limit patch
(K210-021) and SYN flooding patch (K210-022).
The /usr/sbin/netstat and /usr/sbin/sysctl binaries have been
updated to monitor and configure the kernel security patches
mentioned above. Both of these binaries can be run in
conjunction with a kernel that does not have the above two
patches installed. The only side-effect will be that the new
/usr/sbin/netstat will display garbage for the new counters.
The /usr/sbin/inetd binary has been updated to add the -u
option which provides limited UDP source port checking.
By default the new version of inetd will ignore requests
to internal services which appear to come from internal
services (to eliminate the loops which have been the source
of some attacks). See the manual page inetd(8) for
more information.
md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025
===================================================================
PATCH:
U210-026
SUMMARY:
This patch fixes a potential security problem in the DNS
lookup code where the library routine was too trusting of data
returned from the remote server.
md5 checksum: d87b9efdf24f73ddef868388ecdf25f0 U210-026
===================================================================
--
[ /tom haapanen -- tomh@metrics.com -- software metrics inc -- waterloo, ont ]
[ "i don't even know what street canada is on" -- al capone ]