AIX TCP Traffic Regulation
Introduction
TCP
network services and subsystems running on AIX automatically and
transparently take advantage of this powerful DoS mitigation technology
using simple administrative tuning. This new feature provides a
simplified approach to increased network security by leveraging
centralized management and firewall-based customization.
In addition to providing effective service-level and system-level TCP
DoS mitigation, IBM AIX TCP Traffic Regulation provides system-wide TCP
connection resource diversity across source Internet protocol addresses
initiating connections.
Due to the mass adoption of Internet technology by governments, banks,
universities, hospitals, and businesses around the world, our society
has transformed to depend on the availability of network services for
daily operation. It is imperative that our society's network
infrastructure become resilient to active attacks on this availability.
IBM AIX TCP Traffic Regulation provides a low-cost solution for network
service attack resiliency. Availability is assured at the operating
system level, allowing for transparent mitigation of active and passive
network denial-of-service attacks. To activate protection, an
administrator defines a firewall profile and customizes it to protect
the specific TCP ports handling critical services. These centralized
custom firewall profiles provide the security administrator greater
power and flexibility in tailoring network security solutions.
Operation system architecture
IBM AIX TCP Traffic Regulation provides a new architectural layer within
the AIX operating system. The goal of this new layer is two-fold:
- Provide a centralized management framework for defining custom TCP firewall profiles.
- Actively manage incoming TCP socket connections and resource diversity in accordance to the current firewall policy.
Figure 1. IBM AIX TCP Traffic Regulation (TR) Architecture
The firewall policy itself is governed by the profile definitions added, removed, or modified by a systems administrator.
Each profile consists of three elements:
- TCP port or port-range requiring protection.
- Maximum number of incoming socket connections allowed for this profile's TCP port(s).
- Diversity value (a numerical quantity used to tune the overall diversity of shared TCP resources across the pool of maximum incoming socket connections).
This
system of mitigation works transparently, requiring no change to
existing applications. TCP TR actively manages incoming socket
connection requests at the kernel level, allowing the mitigation to work
transparently- requiring no change to existing applications (See Figure 1).
Thus, any network service software running on AIX and operating on the
TCP ports covered by these firewall profiles are automatically protected
from denial-of-service attacks.
Firewall profiles are defined using the
tcptr command-line
utility. This utility provides interactive administration and scripted
manipulation of TCP TR policies. The entire TCP TR system can be turned
on or off with the tcptr_enable network option. For example, to activate the subsystem, use the following no command:no -p -o tcptr_enable=1
The
tcptr command
assigns a maximum limit of incoming TCP connections to a given network
port or a range of ports. Administrative users control system resources
related to TCP TR by adding or removing pools of connection resources to
be shared collectively by incoming socket requests remotely accessing
the AIX TCP layer.
Optionally, a diversity tunable can be specified allowing for increased resource sharing policy control.
Once in effect, these TCP TR profiles become the active policy governing
connections. The operating system automatically ensures that resources
are shared across multiple remote IP addresses that are attempting to
connect through TCP to a specific port.
Attack overview
Network services are generally agnostic to the underlying operating
system resources available and allocated for their benefit of TCP
communication. Most TCP services simply attempt to accept new socket
connection requests as they are received. If left uncapped, a continuous
barrage of TCP connection requests and subsequent consumption of TCP
resources by these network services will eventually use up all the
available system resources.
Figure 2. Topology for TCP resource exhaustion
A
malicious attacker can make use of this behavior and launch a remote
denial-of-service attack against a vulnerable network service over the
Internet. The attack eventually makes the service unavailable by
establishing thousands of socket connection requests with the vulnerable
system. This occurs either from bringing down the system itself or
maxing out socket availability for the vulnerable service. Once the
system or service has been made unavailable, legitimate clients are
blocked from using the network service hosted by the system under attack
(See Figure 2).
TCP TR utility
The TCP TR utility configures or displays TCP TR policy information to
control the maximum incoming socket connections for ports. The syntax of
the utility follows:
tcptr -add <start port> <end port> <max connection> [divisor] tcptr -delete <start port> <end port> tcptr -show
where:
-addadds new TCP TR policies to the system. You should specify the maximum allowable connections for the current policy, the start port, and the end port with this flag. The start port and the end port can be the same port when a port range is not specified. Optionally, you can specify a divisor to allow a greater diversity of resource sharing on the pool of available TCP connections.-deletedeletes existing TCP TR policies that are defined for the system. This flag requires the user specify the maximum allowable connections for the current policy, the start port, and the end port (can be the same as start port if not specifying a port-range).-showdisplays all existing TCP TR policies defined on the system. You might use the -show flag to see the active policies before using the -delete flag.
The parameters are:
| <max connection> | Specifies the maximum incoming TCP connections for the given TR policy. |
| <start port> | Specifies the beginning port for the current TR policy. |
| <end port> | Specifies the end port for the current TR policy. If the port is a range, the value specified must be larger than the start port. If the TR policy is for a single port, the value specified must be equal to the value specified for the start port. |
| <divisor> | Specifies a divisor to compare the number of available incoming TCP connections with the number of consumed incoming TCP connections for an IP, and corresponds to a division of the overall available connections by a power of two. The divisor is the power of two that is used in the division. This parameter is optional, and if it is not specified, the default value is one. In that case, half of the number of available connections are used. |
Examples
To add a TCP Traffic Regulation Policy that covers only TCP port 23, and
to set a maximum incoming connection pool of 256 with an available
connections divisor of 3, enter the following command:
# tcptr -add 23 23 256 3
To add a TCP Traffic Regulation Policy that covers a TCP port that
ranges from 5000 to 6000, and to set a maximum incoming connection pool
of 5000 with an available connections divisor of 2, enter the following
command:
# tcptr -add 5000 6000 5000 2
To show TCP Traffic Regulation Policies set for the system, enter the following command:
# tcptr -show
To delete the TCP Traffic Regulation Policy that covers a TCP port that ranges from 5000 to 6000, enter the following command:
# tcptr -delete 5000 6000
No comments:
Post a Comment