2-9
Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x
OL-16000-07
Chapter 2 Managing BTS Users and Commands Using EMS
Solaris OS Security and BTShard Package
IP_RESPOND_TO_ECHO_BROADCAST—This option determines whether to respond to ICMP
broadcast echo requests (ping). An attacker may try to create a denial of service attack on subnets
by sending many broadcast echo requests to which all systems will respond. This also provides
information on systems that are available on the network. The Solaris default value is 1 (True). For
example:
ip_respond_to_echo_broadcast=1
IP_RESPOND_TO_TIMESTAMP—This option determines whether to respond to ICMP timestamp
requests, that some systems use to discover the time on a remote system. An attacker may use the
time information to schedule an attack at a period of time when the system may run a cron job (or
other time-based event) or otherwise be busy. It may also be possible predict ID or sequence
numbers that are based on the time of day for spoofing services. The Solaris default value is 1 (True).
For example:
ip_respond_to_timestamp=0
IP_RESPOND_TO_TIMESTAMP_BROADCAST—This option determines whether to respond to
ICMP broadcast timestamp requests, that are used to discover the time on all systems in the
broadcast range. This option is dangerous for the same reasons as responding to a single timestamp
request. Additionally, an attacker may try to create a denial of service attack by generating many
broadcast timestamp requests. The default value is 1 (True). For example:
ip_respond_to_timestamp_broadcast=0
IP_SEND_REDIRECTS—This option determines whether to send ICMP redirect messages, that
can introduce changes into the routing table of the remote system. It should only be used on systems
that act as routers. The Solaris default value is 1 (True). For example:
ip_send_redirects=0
IP_STRICT_DST_MULTIHOMING—This option determines whether to enable strict destination
multihoming. If this is set to 1 and ip_forwarding is set to 0, then a packet sent to an interface from
which it did not arrive will be dropped. This setting prevents an attacker from passing packets across
a machine with multiple interfaces that is not acting a router. The default value is 0 (False). For
example:
ip_strict_dst_multihoming=1
TCP_CONN_REQ_MAX_Q0—This option determines the size of the queue containing half-open
connections. This setting provides protection from SYN flood attacks. Solaris 2.6 and 7 (and 2.5.1
with patch 103582-12 and higher) include protection from these attacks. The queue size default is
adequate for most systems but should be increased for busy web servers. The default value is 1024.
For example:
tcp_conn_req_max_q0=4096
The following startup files are removed from the level “3” runtime environment of the BTS 10200.
These services can still be started manually if required in laboratory circumstances. They are not
required for field operations.
S71rpc
S73cachefs.daemon
S73nfs.client
S74autofs
S80lp
S80spc