If you are not using an advanced firewall to protect your system, it is possible to protect it against TCP and UDP protocol-level attacks by setting a list of kernel parameters, or tunables. Most operating systems allow this type of setting for protection against flood attacks, spoof, and ICMP-type attacks.
In this recipe we will enable network protection using kernel tunables. All steps will be performed as root on nodeorcl1
.
All tunables must be added to /etc/sysctl.conf
to be persistent across system reboots.
To enable them immediately execute the following command:
[root@nodeorcl1 xinetd.d]# sysctl –p
All security kernel tunables require restarting the network service to take effect:
[root@nodeorcl1 xinetd.d]# service network restart
The following is the list and description of tunables:
hping
, but there are several other free tools that can generate this kind of attack. These days almost all major Linux distributions have this tunable set to 1
. To enable TCP SYN cookie protection or SYN flood protection, add the following network tunable to /etc/sysctl.conf
:net.ipv4.tcp_syncookies = 1
More details about TCP SYN cookie attacks can be found at the following link: http://etherealmind.com/tcp-syn-cookies-ddos-defence/
/etc/sysctl.conf
:net.ipv4.conf.all.accept_source_route = 0
/etc/sysctl.conf
:net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf .all.rp_filter = 1
net.ipv4.icmp_ echo_ignore_all = 1
To enable logging for spoofed packets, source routed packets, and redirect packets, add the following tunable to /etc/sysctl.conf
:
net.ipv4.conf.all.log_martians = 1
/etc/sysctl.conf
:net.ipv4.icmp_ignore_bogus_error_responses = 1
The protection is activated at kernel level and it is very effective. There are slight differences between Linux distributions but you should find the same parameters that address network protection at kernel level.
Usually these modifications should be tested first. Placing your server behind a properly configured firewall is typically the preferred way to enable these types of protections. However, a database administrator tasked with protecting sensitive data may want to consider kernel-level tunables as a technique that may provide an additional level of protection, or that adds a defensive layer in case of a firewall configuration issue.
3.138.117.75