[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenBSD's sysctl settings and Antioffline's DOS prevention article?


I'm hoping some of you w/ more experience than I can comment a bit on the a the DOS prevention settings article that Antioffline.com recently ran and how it may or may not be related to OpenBSD. This is of interest to me as I want to run an OpenBSD packet filter on a fairly trafficked site.

Bsdatwork.com summarized the recommended settings for FreeBSD(below) but didn't specifically address OpenBSD so I did a sysctl -a on my 2.9 system to take a look and see what OpenBSD's settings were as well as taking a look at the the sysctl man page.

Ommitting the IPv6 stuff for the time being, I found that 7 of the recommended 11 settings corresponded to settings on my OpenBSD
system. I've listed these in parenthesis below Antiofflines recommended settings for FreeBSd. If I couldn't find a counterpart with sysctl -a I listed this as well.

TCP send and receive spaces
sysctl -w net.inet.tcp.sendspace=32768
(OpenBSD 2.9)(net.inet.tcp.sendspace = 16384)
sysctl -w net.inet.tcp.recvspace=32768
(OpenBSD 2.9)(net.inet.tcp.recvspace = 16384)

Socket queue defense against SYN attacks
sysctl -w kern.ipc.somaxconn=1024
(OpenBSD 2.9)(kern.somaxconn = 128)

sysctl -w net.inet.icmp.drop_redirect=1
(OpenBSD 2.9)(no counterpart?)
sysctl -w net.inet.icmp.log_redirect=1
(OpenBSD 2.9)(no counterpart?)
sysctl -w net.inet.ip.redirect=0
(OpenBSD 2.9)(net.inet.ip.redirect = 1)

ARP cleanup
sysctl -w net.link.ether.inet.max_age=1200
(OpenBSD 2.9)(no counterpart?)

Source routing
sysctl -w net.inet.ip.sourceroute=0
(OpenBSD 2.9)(net.inet.ip.sourceroute = 0)
sysctl -w net.inet.ip.accept_sourceroute=0
(OpenBSD 2.9)(no counterpart?)

Broadcast ECHO response
sysctl -w net.inet.icmp.bmcastecho=0
(OpenBSD 2.9)(net.inet.icmp.bmcastecho = 0)

Other broadcast probes
sysctl -w net.inet.icmp.maskrepl=0
(OpenBSD 2.9)(net.inet.icmp.maskrepl = 0)

Now my questions are:
1. Should I be messing with these settings in the first place?

2. If "yes" or "maybe" to #1, are these settings to be changed and left in place as part of a "hardening" procedure or are these setting that you would change during a DOS attack and switch back afterwards?

3. I don't fully understand the implications of messing with some of these settings so I would appreciated any commentary on the drawbacks or tradeoffs of changing the default OpenBSD settings. For example, what would be the drawbacks to increasing the kern.somaxconn from 128 to 1024 and doubling tcp send and receive space?

4. Any commentary on the options that are mentioned for FreeBSD but do not appear in OpenBSD would be appreciated.

5. Perhaps as I am concerned with these settings for a packet filter box, if any of these are especially relevant or not relevant to such a purpose-built box.

And finally, I've tried to do my homework here so if you feel a RTFM reply is appropriate, please include some appropriate links to the FM.

thanks all.

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Visit your host, monkey.org