Patch Name: PHNE_10159 Patch Description: s700 10.16 VirtualVault perf/SYN attack/hp_syn_protect Creation Date: 97/03/11 Post Date: 97/03/14 Hardware Platforms - OS Releases: s700: 10.16 Products: N/A Filesets: OS-Core.CORE-KRN BLS.BLS-CORE Networking.NET-KRN Networking.NET-PRG Automatic Reboot?: Yes Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700/10.X/PHNE_10159 Symptoms: PHNE_10159: Cannot set hp_syn_protect using nettune. PHNE_9987: A SYN attack can result in Denial Of Service (DOS) to legitimate users. This kernel patch PHNE_9987 is dependent upon patch PHCO_8449. You must first install patch PHCO_8449. PHNE_8071: PHCO_8449 is the first part for WWW/VV performance fix. The description is for both PHCO_8449 AND PHNE_8071: * When running WWW or Virtual Vault (VV) on CMW, it can generate network traffic such that within a short period of time, most network connect requests will either be reset or denied due to lack of kernel memory resulting in a total lack of service. Eventually, the problem will correct itself as network connect requests decrease, other system activity will replenish the kernel memory area, although not completely. * The problem occurs on the system that is accepting connections and may manifest itself in many forms. The problem is caused by the kernel memory allocator not being able to satisfy memory requests from interrupt contexts. Defect Description: PHNE_10159: nettune cannot be used to adjust so_qlimit_max, so_qlimit_min, and hp_syn_protect. PHNE_9987: A SYN attack can result in Denial Of Service (DOS) to legitimate users. PHNE_8071: The description is for both PHCO_8449 AND PHNE_8071: * The performance fix includes kernel header files, kernel source code and command kmstat(1M) and m6d(1M). The patch PHNE_8071 includes only the kernel part fix. The command fix in in PHCO_8449 fix. * The fix modified the memory allocator algorithm, incorporated WWW performance related fixes in PHNE_7324 (HP-UX 10.01). Additional changes were also made in MaxSix networking area. SR: 0000000000 Patch Files: /usr/conf/netinet/in_pcb.h /usr/conf/netinet/tcp_var.h /usr/conf/h/sec_alloc.h /usr/conf/h/scs_rec.h /usr/include/sys/scs_rec.h /usr/include/sys/sec_alloc.h /usr/include/netinet/in_pcb.h /usr/include/netinet/tcp_var.h /usr/conf/lib/libhp-ux.a(security.o) /usr/conf/lib/libhp-ux.a(init_main.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(in_pcb.o) /usr/conf/lib/libsec.a(sec_tnet.o) /usr/conf/lib/libsec.a(sec_alloc.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) what(1) Output: /usr/conf/netinet/in_pcb.h: 10 1.9 kern/netinet/in_pcb.h, hpuxsysinet, hpux_ml pmp, mlpmp17 08/01/96 09:58:14, Hewlett-Pack ard ISSL */ in_pcb.h 7.3 (Berkeley) 6/29/88 plus MULTICAS T 1.0 kern/netinet/in_pcb.h, hpuxsysinet, hpux_mlpmp, mlpm p17 $Date: 97/02/21 15:06:22 $Revision: 1.9 PATCH_10.16 (PHNE_8071) /usr/include/netinet/in_pcb.h: 10 1.9 kern/netinet/in_pcb.h, hpuxsysinet, hpux_ml pmp, mlpmp17 08/01/96 09:58:14, Hewlett-Pack ard ISSL */ in_pcb.h 7.3 (Berkeley) 6/29/88 plus MULTICAS T 1.0 kern/netinet/in_pcb.h, hpuxsysinet, hpux_mlpmp, mlpm p17 $Date: 97/02/21 15:06:22 $Revision: 1.9 PATCH_10.16 (PHNE_8071) /usr/conf/h/scs_rec.h: 67 1.22 kern/h/scs_rec.h, m6co_sysheaders, hpux_ml pmp, mlpmp17 08/01/96 09:56:07, Hewlett-Pack ard ISSL */ kern/h/scs_rec.h, m6co_sysheaders, hpux_mlpmp, mlpmp 17 $Date: 97/02/2114:58:07 $Revision: 1.22 P ATCH_10.16 (PHNE_8071) /usr/include/sys/scs_rec.h: 67 1.22 kern/h/scs_rec.h, m6co_sysheaders, hpux_ml pmp, mlpmp17 08/01/96 09:56:07, Hewlett-Pack ard ISSL */ kern/h/scs_rec.h, m6co_sysheaders, hpux_mlpmp, mlpmp 17 $Date: 97/02/2114:58:07 $Revision: 1.22 P ATCH_10.16 (PHNE_8071) /usr/conf/h/sec_alloc.h: kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, mlpmp17 $Da te: 97/02/21 14:58:04 $Revision: 1.10 PATCH_ 10.16 (PHNE_8071) 77 1.10 kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, m lpmp17 08/01/96 09:56:06, Hewlett-Packard IS SL */ /usr/include/sys/sec_alloc.h: kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, mlpmp17 $Da te: 97/02/21 14:58:04 $Revision: 1.10 PATCH_ 10.16 (PHNE_8071) 77 1.10 kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, m lpmp17 08/01/96 09:56:06, Hewlett-Packard IS SL */ /usr/conf/netinet/tcp_var.h: 35 1.18 kern/netinet/tcp_var.h, hpuxsysinet, hpux_ mlpmp, mlpmp17 08/01/96 09:58:12, Hewlett-Pa ckard ISSL */ tcp_var.h 7.8 (Berkeley) 6/29/88 kern/netinet/tcp_var.h, hpuxsysinet, hpux_mlpmp, mlp mp17 $Date: 97/02/21 14:57:05 $Revision: 1.1 8 PATCH_10.16 (PHNE_8071) /usr/include/netinet/tcp_var.h: 35 1.18 kern/netinet/tcp_var.h, hpuxsysinet, hpux_ mlpmp, mlpmp17 08/01/96 09:58:12, Hewlett-Pa ckard ISSL */ tcp_var.h 7.8 (Berkeley) 6/29/88 kern/netinet/tcp_var.h, hpuxsysinet, hpux_mlpmp, mlp mp17 $Date: 97/02/21 14:57:05 $Revision: 1.1 8 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(in_pcb.o): kern/netinet/in_pcb.c, hpuxsysinet, hpux_mlpmp, mlpm p17 $Date: 97/02/21 14:57:10 $Revision: 1.27 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libhp-ux.a(init_main.o): kern/sys/init_main.c, hpuxsysinit, hpux_mlpmp, mlpmp 17 $Date: 97/02/2114:57:18 $Revision: 1.20 P ATCH_10.16 (PHNE_8071) /usr/conf/lib/libhp-ux.a(nm_tune.o): kern/netinet/nm_tune.c, hpuxsysinet, hpux_mlpmp, mlp mp20 $Date: 97/02/21 15:17:36 $ $Revision: 1 .9.1.1 PATCH_10.16 (PHNE_10159) $ /usr/conf/lib/libsec.a(sec_alloc.o): kern/sec/sec_alloc.c, sysmisc, hpux_mlpmp, mlpmp17 $ Date: 97/02/21 14:58:04 $Revision: 1.33 PATC H_10.16 (PHNE_8071) kern/sec/include_sec, sysmisc, hpux_mlpmp, mlpmp17 $ Date: 97/02/21 14:57:59 $Revision: 1.10.1.1 PATCH_10.16 (PHKL_8238) /usr/conf/lib/libsec.a(sec_tnet.o): kern/sec/sec_tnet.c, m6co_kernel, hpux_mlpmp, mlpmp1 7 $Date: 97/02/21 14:58:14 $Revision: 1.86 P ATCH_10.16 (PHNE_8071) kern/sec/include_sec, sysmisc, hpux_mlpmp, mlpmp17 $ Date: 97/02/21 14:57:59 $Revision: 1.10.1.1 PATCH_10.16 (PHKL_8238) /usr/conf/lib/libhp-ux.a(security.o): kern/debug/security.c, sysmisc, hpux_mlpmp, mlpmp17 $Date: 97/02/21 15:02:46 $Revision: 1.3 PATC H_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, hpux_mlpmp, m lpmp17 $Date: 97/02/21 14:57:13 $Revision: 1 .35 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, hpux_mlpmp, ml pmp17 $Date: 97/02/21 14:57:14 $Revision: 1. 20 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_usrreq.o): kern/netinet/tcp_usrreq.c, hpuxsysinet, hpux_mlpmp, mlpmp17 $Date: 97/02/21 14:57:42 $Revision: 1.23 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libuipc.a(uipc_socket.o): kern/sys/uipc_socket.c, hpuxsysuipc, hpux_mlpmp, mlp mp17 $Date: 97/02/21 14:57:20 $ $Revision: 1 .39.1.1 PATCH_10.16 (PHNE_9987) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, hpux_mlpmp, ml pmp17 $Date: 97/02/21 14:57:21 $ $Revision: 1.15.1.1 PATCH_10.16 (PHNE_9987) $ cksum(1) Output: 1984860028 15113 /usr/conf/netinet/in_pcb.h 710679922 13630 /usr/conf/h/scs_rec.h 255502530 13438 /usr/conf/h/sec_alloc.h 2540114445 13437 /usr/conf/netinet/tcp_var.h 710679922 13630 /usr/include/sys/scs_rec.h 255502530 13438 /usr/include/sys/sec_alloc.h 1984860028 15113 /usr/include/netinet/in_pcb.h 2540114445 13437 /usr/include/netinet/tcp_var.h 1657166142 12636 /usr/conf/lib/libinet.a(in_pcb.o) 4150415647 17044 /usr/conf/lib/libhp-ux.a(init_main.o) 2560257227 10096 /usr/conf/lib/libhp-ux.a(nm_tune.o) 2678290665 14664 /usr/conf/lib/libsec.a(sec_alloc.o) 329127502 44296 /usr/conf/lib/libsec.a(sec_tnet.o) 2503744697 148976 /usr/conf/lib/libhp-ux.a(security.o) 2826987325 21520 /usr/conf/lib/libinet.a(tcp_input.o) 1589422276 10136 /usr/conf/lib/libinet.a(tcp_subr.o) 3997048244 10240 /usr/conf/lib/libinet.a(tcp_usrreq.o) 471464930 26816 /usr/conf/lib/libuipc.a(uipc_socket.o) 1153822898 16340 /usr/conf/lib/libuipc.a(uipc_socket2.o) Patch Conflicts: None Patch Dependencies: s700: 10.16: PHCO_8449 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_8071 PHNE_9987 Equivalent Patches: PHNE_10160: s800: 10.16 Patch Package Size: 520 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_10159 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_10159.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_10159.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_10159. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_10159.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_10159.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Must install PHCO_8449 (replacement of PHCO_7524) before installing PHNE_10159. WARNING: The commands patch, PHCO_8449 and the corresponding kernel patches, PHNE_10159, are dependent upon one another. The system *will not work* with just one of the two patches installed - both kernel and command patches must be installed or the RESULTING SYSTEM WILL BE UNUSABLE.