IBM AIX TCP Traffic Regulation

Enabling kernel-level TCP Denial-of-Service (DoS) attack mitigation

IBM® AIX® TCP Traffic Regulation (TR), introduced in IBM AIX 6.1 TL2, provides centralized port-based regulation of TCP connection resource utilization. TCP firewall profiles, customized by a security administrator, can now be loaded into the AIX kernel for active mitigation of TCP-based Denial-of-Service (DoS) attacks.

Lucas McLane (tmclane@us.ibm.com), AIX Information Assurance/Software Engineer, IBM  

author photoLucas McLane CISSP, works as an Information Assurance/Software Engineer for IBM AIX. Lucas has worked in IBM software development since 2002. He is a master ethical hacker and software engineer with a wide range of experience in complex virtualized environments, specializing in network security. Lucas is the lead developer for PHANTUM and serves on Texas Tech University's Computer Science Advisory Board. You can reach him at tmclane@us.ibm.com.



Marco Cabrera (macescandell@gmail.com), AIX Specialist, IBM  

author photoMarco Cabrera works as a Software Engineer in Austin, TX. He has been involved in software development for over six years. His skills are strong and diverse, ranging from web application technology (.NET, Java, and PHP) to hardcore systems programming serving as a key developer for AIX TCP/IP. You can reach him at macescandell@gmail.com.



01 December 2009

Also available in Chinese

Introduction

TCP network services and subsystems running on AIX automatically and transparently take advantage of this powerful DoS mitigation technology using simple administrative tuning. This new feature provides a simplified approach to increased network security by leveraging centralized management and firewall-based customization.

In addition to providing effective service-level and system-level TCP DoS mitigation, IBM AIX TCP Traffic Regulation provides system-wide TCP connection resource diversity across source Internet protocol addresses initiating connections.

Due to the mass adoption of Internet technology by governments, banks, universities, hospitals, and businesses around the world, our society has transformed to depend on the availability of network services for daily operation. It is imperative that our society's network infrastructure become resilient to active attacks on this availability.

IBM AIX TCP Traffic Regulation provides a low-cost solution for network service attack resiliency. Availability is assured at the operating system level, allowing for transparent mitigation of active and passive network denial-of-service attacks. To activate protection, an administrator defines a firewall profile and customizes it to protect the specific TCP ports handling critical services. These centralized custom firewall profiles provide the security administrator greater power and flexibility in tailoring network security solutions.


Operation system architecture

IBM AIX TCP Traffic Regulation provides a new architectural layer within the AIX operating system. The goal of this new layer is two-fold:

  • Provide a centralized management framework for defining custom TCP firewall profiles.
  • Actively manage incoming TCP socket connections and resource diversity in accordance to the current firewall policy.
Figure 1. IBM AIX TCP Traffic Regulation (TR) Architecture
TCP Traffic Regulation Architecture

The firewall policy itself is governed by the profile definitions added, removed, or modified by a systems administrator. Each profile consists of three elements:

  • TCP port or port-range requiring protection.
  • Maximum number of incoming socket connections allowed for this profile's TCP port(s).
  • Diversity value (a numerical quantity used to tune the overall diversity of shared TCP resources across the pool of maximum incoming socket connections).

This system of mitigation works transparently, requiring no change to existing applications. TCP TR actively manages incoming socket connection requests at the kernel level, allowing the mitigation to work transparently- requiring no change to existing applications (See Figure 1). Thus, any network service software running on AIX and operating on the TCP ports covered by these firewall profiles are automatically protected from denial-of-service attacks.

Firewall profiles are defined using the tcptr command-line utility. This utility provides interactive administration and scripted manipulation of TCP TR policies. The entire TCP TR system can be turned on or off with the tcptr_enable network option. For example, to activate the subsystem, use the following no command:

no -p -o tcptr_enable=1

The tcptr command assigns a maximum limit of incoming TCP connections to a given network port or a range of ports. Administrative users control system resources related to TCP TR by adding or removing pools of connection resources to be shared collectively by incoming socket requests remotely accessing the AIX TCP layer.

Optionally, a diversity tunable can be specified allowing for increased resource sharing policy control.

Once in effect, these TCP TR profiles become the active policy governing connections. The operating system automatically ensures that resources are shared across multiple remote IP addresses that are attempting to connect through TCP to a specific port.


Attack overview

Network services are generally agnostic to the underlying operating system resources available and allocated for their benefit of TCP communication. Most TCP services simply attempt to accept new socket connection requests as they are received. If left uncapped, a continuous barrage of TCP connection requests and subsequent consumption of TCP resources by these network services will eventually use up all the available system resources.

Figure 2. Topology for TCP resource exhaustion
Topology for TCP Resource Exhaustion

A malicious attacker can make use of this behavior and launch a remote denial-of-service attack against a vulnerable network service over the Internet. The attack eventually makes the service unavailable by establishing thousands of socket connection requests with the vulnerable system. This occurs either from bringing down the system itself or maxing out socket availability for the vulnerable service. Once the system or service has been made unavailable, legitimate clients are blocked from using the network service hosted by the system under attack (See Figure 2).


TCP TR utility

The TCP TR utility configures or displays TCP TR policy information to control the maximum incoming socket connections for ports. The syntax of the utility follows:

tcptr -add <start port> <end port> <max connection> [divisor]

tcptr -delete <start port> <end port>

tcptr -show

where:

  • -add adds new TCP TR policies to the system. You should specify the maximum allowable connections for the current policy, the start port, and the end port with this flag. The start port and the end port can be the same port when a port range is not specified. Optionally, you can specify a divisor to allow a greater diversity of resource sharing on the pool of available TCP connections.
  • -delete deletes existing TCP TR policies that are defined for the system. This flag requires the user specify the maximum allowable connections for the current policy, the start port, and the end port (can be the same as start port if not specifying a port-range).
  • -show displays all existing TCP TR policies defined on the system. You might use the -show flag to see the active policies before using the -delete flag.

The parameters are:

<max connection>Specifies the maximum incoming TCP connections for the given TR policy.
<start port>Specifies the beginning port for the current TR policy.
<end port>Specifies the end port for the current TR policy. If the port is a range, the value specified must be larger than the start port. If the TR policy is for a single port, the value specified must be equal to the value specified for the start port.
<divisor>Specifies a divisor to compare the number of available incoming TCP connections with the number of consumed incoming TCP connections for an IP, and corresponds to a division of the overall available connections by a power of two. The divisor is the power of two that is used in the division. This parameter is optional, and if it is not specified, the default value is one. In that case, half of the number of available connections are used.

Examples

To add a TCP Traffic Regulation Policy that covers only TCP port 23, and to set a maximum incoming connection pool of 256 with an available connections divisor of 3, enter the following command:

# tcptr -add 23 23 256 3

To add a TCP Traffic Regulation Policy that covers a TCP port that ranges from 5000 to 6000, and to set a maximum incoming connection pool of 5000 with an available connections divisor of 2, enter the following command:

# tcptr -add 5000 6000 5000 2

To show TCP Traffic Regulation Policies set for the system, enter the following command:

# tcptr -show

To delete the TCP Traffic Regulation Policy that covers a TCP port that ranges from 5000 to 6000, enter the following command:

# tcptr -delete 5000 6000

Summary

IBM AIX TCP Traffic Regulation provides a low-cost solution for network service attack resiliency. Availability is assured at the operating system level allowing for transparent mitigation of active and/or passive network denial-of-service attacks. Network services requiring security and availability should benefit from this powerful operating system technology.

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=451649
ArticleTitle=IBM AIX TCP Traffic Regulation
publish-date=12012009