From the SunSolve
web site, a search for "SYN flood" yielded some hints about how to tune
networking parameters for Solaris aimed at avoiding denial of service attacks.
(Note, you might need a registered account in order to perform such a search.)
I found the following document
Infodoc ID: 17585
Synopsis: How to defend a system from TCP SYN Flood attacks
- Ref: CERT CA-96.21
Date: 28 Aug 1998
The synopsis of this document is as follows.
For Solaris 2.5 systems, patch 103447-10 (or later) must be installed.
For Solaris 2.5.1 systems, patch 103582-16 (or later) must be installed.
Both of these patches add TCP tuning parameters to avoid SYN flood
attacks.
tcp_conn_req_max_q0 (default 1024):
The maximum number of connections with handshake incomplete.
A SYN flood attack could only affect this queue, and a special algorithm
makes sure that valid connections can still get through.
tcp_conn_req_max_q (default 128):
The maximum number of completed connections waiting to return from
an accept call as soon as the right process gets some CPU time.
These two parameters replace tcp_conn_req_max which originally had a default value of 32.
The new limits (see above) should be sufficient to fend off a SYN
attack and to make sure that valid connections will be accepted, so in
most cases you would not need to tune them.
If your system seems to be slow in accepting network connections and
you believe that you have become a victim of a SYN flood attack, run
the following command:
Look for values greater than 0 for both tcpListenDropQ0 and tcpHalfOpenDrop.
Infodoc ID: 12618
Synopsis: TCP/IP PSD/FAQ
Date: 13 Oct 1999
This is a TCP/IP tuning
document, which I downloaded and cleaned up the site specific HTML.