The industry standard TCP specification (RFC793) has a vulnerability
whereby established TCP connections can be reset by an attacker using
the TCP RST (Reset) or SYN (Synchronize) flags.

These packets need to have source and destination IP addresses that match
the established connection as well as the same source and destination TCP ports.

The fact that TCP sessions can be reset by sending suitable RST and SYN
packets is a design feature of TCP. According to RFC 793, a RST or SYN
attack is only possible when the source IP address and TCP port can be
forged or "spoofed." In that case TCP sessions, including Telnet, SSH,
SFTP and HTTP may be disconnected without warning. TCP sessions that have
been disconnected can be re-established.

Normally, a TCP SYN packet (request for a new connection) that arrives on
a server using a matching IP address, port number, and matching sequence
number for an existing connection causes a TCP RST packet to be returned
to the client. An attacker can guess the proper sequence number, along
with the port and IP addresses, to cause an existing connection to
be terminated with a TCP RST.

When a client is rebooted without closing an old connection to the server,
a subsequent attempt to connect to the server that matches the old
connection tuple and sequence number will require a TCP RST in order
to purge the old (stale) connection.

HP has addressed these potential vulnerabilities, called TCP RST attack and
TCP SYN attack, by providing two new kernel tunable variables, tcp_rst_win
(TCP RST window) and tcp_syn_win (TCP SYN window).

The tcp_rst_win and tcp_syn_win variables mitigate the TCP reset attack by
reducing the window sizes in which a TCP RST/SYN packet will be accepted
by the HP Tru64 UNIX system.

Set the tunable values as follows:

a) tcp_rst_win 

   tcp_rst_win = -1 (default)
      Retains existing TCP behavior with respect to reset packets.

   tcp_rst_win = 2048
      Provides a level of protection that significantly reduces the size
      of the TCP reset window while allowing for common TCP client/server
      sequence number variations. This allows a reset packet to be accepted
      by the HP Tru64 UNIX system when the remote machine has
      unacknowledged outstanding packets of up to a total of 2048 bytes.

    tcp_rst_win = 0
      Provides maximum security against the potential DoS condition. Setting
      tcp_rst_win to 0 provides the highest level of protection without
      migrating to an IPSec environment. This setting restricts the
      acceptance of a reset packet to the current sequence number and may
      result in the rejection of valid reset packets where sent data packets
      have not been acknowledged.


b) tcp_syn_win
  
   WARNING: by setting tcp_syn_win down to 2048 or less, the probability
   increases that a rebooted client will not be able to re-connect to a
   former server. For this reason, setting tcp_syn_win to any value other
   than the default value of -1 is not recommended. The client connection
   attempt could time out, but then work as expected when trying it again
   at a later time.

   tcp_syn_win = -1 (default)
      Retains existing TCP behavior with respect to SYN packets.

   tcp_syn_win = 2048
      Provides a level of protection that significantly reduces the size
      of the TCP syn window while allowing for common TCP client/server
      sequence number variations. This will allow a SYN packet to be
      accepted by the HP Tru64 UNIX system when the remote machine as
      unacknowledged outstanding packets of up to a total of 2048 bytes.

   tcp_syn_win = 0
      This setting should not be used without evidence of an active SYN
      attack. When a client attempts to establish a new connection to
      the server, the IP addresses and often the port numbers are the
      same, and the sequence number can sometimes fall within the existing
      (stale) sequence number space of the old connection.  A TCP RESET
      packet is sent to purge the stale connection from the server and
      allow the client to establish a new connection. The
      "tcp_syn_win = 0" setting may cause a valid SYN to fail at resetting
      an established connection, as evidenced by a rebooted client failing
      to connect during initial attempts to re-establish previous
      socket connections.

Customers who are extremely sensitive to this security issue should
implement IPSec, available in HP Tru64 UNIX 5.1A and 5.1B. Tru64 UNIX
customers running V4.0F and V4.0G can receive maximum available protection
with tcp_rst_win to 0 and tcp_syn_win to 0.

To implement the new kernel tunable variables, customers should first
install the ERP appropriate for for their verson and patch kit. Following
the ERP installation, customers can adjust the tunable variables as
described below.

The TCP RST window variable (tcp_rst_win) can be adjusted using the
"sysconfig" and "sysconfigdb" commands:

# sysconfig -q inet tcp_rst_win
  inet:
  tcp_rst_win = -1

# sysconfig -r inet tcp_rst_win=2048
  tcp_rst_win: reconfigured

# sysconfig -q inet tcp_rst_win
   inet:
      tcp_rst_win = 2048

# sysconfig -q inet tcp_rst_win > /tmp/tcp_rst_win_merge

# sysconfigdb -m -f /tmp/tcp_rst_win_merge inet

# sysconfigdb -l inet
   inet:
      tcp_rst_win = 2048

Similarly, the TCP SYN window variable (tcp_syn_win) can be adjusted using
the "sysconfig" and "sysconfigdb" commands:

# sysconfig -q inet tcp_syn_win
  inet:
  tcp_syn_win = -1

# sysconfig -r inet tcp_syn_win=2048
  tcp_syn_win: reconfigured

# sysconfig -q inet tcp_syn_win
   inet:
      tcp_syn_win = 2048

# sysconfig -q inet tcp_syn_win > /tmp/tcp_syn_win_merge

# sysconfigdb -m -f /tmp/tcp_syn_win_merge inet

# sysconfigdb -l inet
   inet:
      tcp_syn_win = 2048

