Patch Name: PHNE_9987 Patch Description: s700 10.16 Syn attack (flooding) on VVOS and CMW Creation Date: 97/02/06 Post Date: 97/02/14 Hardware Platforms - OS Releases: s700: 10.16 Products: N/A Filesets: OS-Core.CORE-KRN BLS.BLS-CORE Networking.NET-KRN Networking.NET-PRG Automatic Reboot?: Yes Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700/10.X/PHNE_9987 Symptoms: PHNE_9987: A SYN attack can result in Denial Of Service (DOS) to legitimate users. This kernel patch PHNE_9987 is dependent upon patch PHCO_8449. You must first install patch PHCO_8449. PHNE_8071: PHCO_8449 is the first part for WWW/VV performance fix. The description is for both PHCO_8449 AND PHNE_8071: * When running WWW or Virtual Vault (VV) on CMW, it can generate network traffic such that within a short period of time, most network connect requests will either be reset or denied due to lack of kernel memory resulting in a total lack of service. Eventually, the problem will correct itself as network connect requests decrease, other system activity will replenish the kernel memory area, although not completely. * The problem occurs on the system that is accepting connections and may manifest itself in many forms. The problem is caused by the kernel memory allocator not being able to satisfy memory requests from interrupt contexts. Defect Description: PHNE_9987: A SYN attack can result in Denial Of Service (DOS) to legitimate users. PHNE_8071: The description is for both PHCO_8449 AND PHNE_8071: * The performance fix includes kernel header files, kernel source code and command kmstat(1M) and m6d(1M). The patch PHNE_8071 includes only the kernel part fix. The command fix in in PHCO_8449 fix. * The fix modified the memory allocator algorithm, incorporated WWW performance related fixes in PHNE_7324 (HP-UX 10.01). Additional changes were also made in MaxSix networking area. SR: 0000000000 Patch Files: /usr/conf/netinet/in_pcb.h /usr/conf/netinet/tcp_var.h /usr/conf/h/sec_alloc.h /usr/conf/h/scs_rec.h /usr/include/sys/scs_rec.h /usr/include/sys/sec_alloc.h /usr/include/netinet/in_pcb.h /usr/include/netinet/tcp_var.h /usr/conf/lib/libhp-ux.a(security.o) /usr/conf/lib/libhp-ux.a(init_main.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(in_pcb.o) /usr/conf/lib/libsec.a(sec_tnet.o) /usr/conf/lib/libsec.a(sec_alloc.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) what(1) Output: /usr/conf/netinet/in_pcb.h: 10 1.9 kern/netinet/in_pcb.h, hpuxsysinet, hpux_ml pmp, mlpmp9 08/01/96 09:58:14, Hewlett-Packa rd ISSL */ in_pcb.h 7.3 (Berke ley) 6/29/88 plus MULTICAST 1.0 kern /netinet/in_pcb.h, hpuxsysinet, hpux_mlpmp, mlpmp9 $Date: 97/02/0419:12:44 $Revision: 1. 9 PATCH_10.16 (PHNE_8071) /usr/conf/h/scs_rec.h: 67 1.22 kern/h/scs_rec.h, m6co_sysheaders, hpux_ml pmp, mlpmp9 08/01/96 09:56:07, Hewlett-Packa rd ISSL */ kern/h/scs_rec.h, m6co_sy sheaders, hpux_mlpmp, mlpmp9 $Date: 97/02/04 19:04:37 $Revision: 1.22 PATCH_10.16 (PHNE_ 8071) /usr/conf/h/sec_alloc.h: kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, mlpmp9 $Dat e: 97/02/04 19:04:35 $Revision: 1.10 PATCH_1 0.16 (PHNE_8071) 77 1.10 kern/h/sec _alloc.h, sysmisc, hpux_mlpmp, mlpmp9 08/01/ 96 09:56:06, Hewlett-Packard ISSL */ /usr/conf/netinet/tcp_var.h: 35 1.18 kern/netinet/tcp_var.h, hpuxsysinet, hpux_ mlpmp, mlpmp9 08/01/96 09:58:12, Hewlett-Pac kard ISSL */ tcp_var.h 7.8 (Ber keley) 6/29/88 kern/netinet/tcp_var. h, hpuxsysinet, hpux_mlpmp, mlpmp9 $Date: 97 /02/04 19:03:55 $Revision: 1.18 PATCH_10.16 (PHNE_8071) /usr/include/sys/scs_rec.h: 67 1.22 kern/h/scs_rec.h, m6co_sysheaders, hpux_ml pmp, mlpmp9 08/01/96 09:56:07, Hewlett-Packa rd ISSL */ kern/h/scs_rec.h, m6co_sy sheaders, hpux_mlpmp, mlpmp9 $Date: 97/02/04 19:04:37 $Revision: 1.22 PATCH_10.16 (PHNE_ 8071) /usr/include/sys/sec_alloc.h: kern/h/sec_alloc.h, sysmisc, hpux_mlpmp, mlpmp9 $Dat e: 97/02/04 19:04:35 $Revision: 1.10 PATCH_1 0.16 (PHNE_8071) 77 1.10 kern/h/sec _alloc.h, sysmisc, hpux_mlpmp, mlpmp9 08/01/ 96 09:56:06, Hewlett-Packard ISSL */ /usr/include/netinet/in_pcb.h: 10 1.9 kern/netinet/in_pcb.h, hpuxsysinet, hpux_ml pmp, mlpmp9 08/01/96 09:58:14, Hewlett-Packa rd ISSL */ in_pcb.h 7.3 (Berke ley) 6/29/88 plus MULTICAST 1.0 kern /netinet/in_pcb.h, hpuxsysinet, hpux_mlpmp, mlpmp9 $Date: 97/02/0419:12:44 $Revision: 1. 9 PATCH_10.16 (PHNE_8071) /usr/include/netinet/tcp_var.h: 35 1.18 kern/netinet/tcp_var.h, hpuxsysinet, hpux_ mlpmp, mlpmp9 08/01/96 09:58:12, Hewlett-Pac kard ISSL */ tcp_var.h 7.8 (Ber keley) 6/29/88 kern/netinet/tcp_var. h, hpuxsysinet, hpux_mlpmp, mlpmp9 $Date: 97 /02/04 19:03:55 $Revision: 1.18 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(in_pcb.o): kern/netinet/in_pcb.c, hpuxsysinet, hpux_mlpmp, mlpm p9 $Date: 97/02/0419:03:57 $Revision: 1.27 P ATCH_10.16 (PHNE_8071) /usr/conf/lib/libhp-ux.a(init_main.o): kern/sys/init_main.c, hpuxsysinit, hpux_mlpmp, mlpmp 9 $Date: 97/02/04 19:04:02 $Revision: 1.20 P ATCH_10.16 (PHNE_8071) /usr/conf/lib/libsec.a(sec_alloc.o): kern/sec/sec_alloc.c, sysmisc, hpux_mlpmp, mlpmp9 $D ate: 97/02/04 19:04:35 $Revision: 1.33 PATCH _10.16 (PHNE_8071) kern/sec/include_ sec, sysmisc, hpux_mlpmp, mlpmp9 $Date: 97/0 2/04 19:04:31 $Revision: 1.10.1.1 PATCH_10.1 6 (PHKL_8238) /usr/conf/lib/libsec.a(sec_tnet.o): kern/sec/sec_tnet.c, m6co_kernel, hpux_mlpmp, mlpmp9 $Date: 97/02/04 19:04:41 $Revision: 1.86 PA TCH_10.16 (PHNE_8071) kern/sec/inclu de_sec, sysmisc, hpux_mlpmp, mlpmp9 $Date: 9 7/02/04 19:04:31 $Revision: 1.10.1.1 PATCH_1 0.16 (PHKL_8238) /usr/conf/lib/libhp-ux.a(security.o): kern/debug/security.c, sysmisc, hpux_mlpmp, mlpmp9 $ Date: 97/02/04 19:08:06 $Revision: 1.3 PATCH _10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, hpux_mlpmp, m lpmp9 $Date: 97/02/04 19:03:58 $Revision: 1. 35 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, hpux_mlpmp, ml pmp9 $Date: 97/02/04 19:03:59 $Revision: 1.2 0 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libinet.a(tcp_usrreq.o): kern/netinet/tcp_usrreq.c, hpuxsysinet, hpux_mlpmp, mlpmp9 $Date: 97/02/04 19:04:16 $Revision: 1 .23 PATCH_10.16 (PHNE_8071) /usr/conf/lib/libuipc.a(uipc_socket.o): kern/sys/uipc_socket.c, hpuxsysuipc, hpux_mlpmp, mlp mp14 $Date: 97/02/04 19:20:04 $ $Revision: 1 .39.1.1 PATCH_10.16 (PHNE_9987) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, hpux_mlpmp, ml pmp14 $Date: 97/02/04 19:20:05 $ $Revision: 1.15.1.1 PATCH_10.16 (PHNE_9987) $ cksum(1) Output: 2315821225 15111 /usr/conf/netinet/in_pcb.h 3925011839 13628 /usr/conf/h/scs_rec.h 3101651600 13436 /usr/conf/h/sec_alloc.h 3648675562 13435 /usr/conf/netinet/tcp_var.h 3925011839 13628 /usr/include/sys/scs_rec.h 3101651600 13436 /usr/include/sys/sec_alloc.h 2315821225 15111 /usr/include/netinet/in_pcb.h 3648675562 13435 /usr/include/netinet/tcp_var.h 3433798635 12636 /usr/conf/lib/libinet.a(in_pcb.o) 4261304226 17040 /usr/conf/lib/libhp-ux.a(init_main.o) 3206273450 14648 /usr/conf/lib/libsec.a(sec_alloc.o) 4252603878 44300 /usr/conf/lib/libsec.a(sec_tnet.o) 2537006849 148968 /usr/conf/lib/libhp-ux.a(security.o) 3107533027 21504 /usr/conf/lib/libinet.a(tcp_input.o) 77025783 10144 /usr/conf/lib/libinet.a(tcp_subr.o) 276060198 10244 /usr/conf/lib/libinet.a(tcp_usrreq.o) 638279920 26816 /usr/conf/lib/libuipc.a(uipc_socket.o) 4246293749 16340 /usr/conf/lib/libuipc.a(uipc_socket2.o) Patch Conflicts: None Patch Dependencies: s700: 10.16: PHCO_8449 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_8071 Equivalent Patches: PHNE_9988: s800: 10.16 Patch Package Size: 500 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_9987 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_9987.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_9987.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_9987. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_9987.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_9987.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Must install PHCO_8449 (replacement of PHCO_7524) before installing PHNE_9987. WARNING: The commands patch, PHCO_8449 and the corresponding kernel patches, PHNE_9987 are dependent upon one another. The system *will not work* with just one of the two patches installed - both kernel and command patches must be installed or the RESULTING SYSTEM WILL BE UNUSABLE.