Chapter 2 Managing BTS Users and Commands Using EMS

Solaris OS Security and BTShard Package

IP_RESPOND_TO_ECHO_BROADCAST—This option determines whether to respond to ICMP broadcast echo requests (ping). An attacker may try to create a denial of service attack on subnets by sending many broadcast echo requests to which all systems will respond. This also provides information on systems that are available on the network. The Solaris default value is 1 (True). For example:

ip_respond_to_echo_broadcast=1

IP_RESPOND_TO_TIMESTAMP—This option determines whether to respond to ICMP timestamp requests, that some systems use to discover the time on a remote system. An attacker may use the time information to schedule an attack at a period of time when the system may run a cron job (or other time-based event) or otherwise be busy. It may also be possible predict ID or sequence numbers that are based on the time of day for spoofing services. The Solaris default value is 1 (True). For example:

ip_respond_to_timestamp=0

IP_RESPOND_TO_TIMESTAMP_BROADCAST—This option determines whether to respond to ICMP broadcast timestamp requests, that are used to discover the time on all systems in the broadcast range. This option is dangerous for the same reasons as responding to a single timestamp request. Additionally, an attacker may try to create a denial of service attack by generating many broadcast timestamp requests. The default value is 1 (True). For example:

ip_respond_to_timestamp_broadcast=0

IP_SEND_REDIRECTS—This option determines whether to send ICMP redirect messages, that can introduce changes into the routing table of the remote system. It should only be used on systems that act as routers. The Solaris default value is 1 (True). For example:

ip_send_redirects=0

IP_STRICT_DST_MULTIHOMING—This option determines whether to enable strict destination multihoming. If this is set to 1 and ip_forwarding is set to 0, then a packet sent to an interface from which it did not arrive will be dropped. This setting prevents an attacker from passing packets across a machine with multiple interfaces that is not acting a router. The default value is 0 (False). For example:

ip_strict_dst_multihoming=1

TCP_CONN_REQ_MAX_Q0—This option determines the size of the queue containing half-open connections. This setting provides protection from SYN flood attacks. Solaris 2.6 and 7 (and 2.5.1 with patch 103582-12 and higher) include protection from these attacks. The queue size default is adequate for most systems but should be increased for busy web servers. The default value is 1024. For example:

tcp_conn_req_max_q0=4096

The following startup files are removed from the level “3” runtime environment of the BTS 10200. These services can still be started manually if required in laboratory circumstances. They are not required for field operations.

S71rpc

S73cachefs.daemon

S73nfs.client

S74autofs

S80lp

S80spc

Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x

 

OL-16000-07

2-9

 

 

 

Page 25
Image 25
Cisco Systems 10200 Iprespondtoechobroadcast=1, Iprespondtotimestamp=0, Iprespondtotimestampbroadcast=0, Ipsendredirects=0