foureleven.org

||   || ||

Rosetta Stone: Performance and Security Tuning

This document is conceptually similar to and inspired by Bruce Hamilton's Rosetta Stone for Unix.

The goal of this document is to relate standard network and system variables across all OS' that we will encounter in our careers and hobbies. Unlike the Rosetta Stone for Unix, this table focuses on design choices, specifically network performance and security tuning, and not daily operations. This document originated as a Slashdot post that tried to enumerate the ways to re-configure the TCP TIME_WAIT (or 2*MSL) state delay across various Operating Systems. Who would have guessed that Windows 2000 exposes this, but linux does not?

Recommended values are defined. Their default values follow in parenthesis.

There are conflicts. Blindly following the recommendations without researching and understanding the implications may result in degraded performance or compromised security. As an example, TCP timestamping may be used to remotely gather system uptime. TCP timestamping is a TCP option used with TCP SACK to allow a system to selectively acknowledge discontiguous blocks of packets, to make effective use of packets actually received when one or more are lost inside a single TCP window. Enabling RFC 1323 for window scaling and timestamps may improve TCP performance, but it may expose your system to uptime enumeration as well, a potential information disclosure risk.

Attempts were made to condense the table without losing pertinent information. We exclude the exact CLI arguments and don't enumerate the various ways a change may be committed (modifying /proc vs using sysctl as an example). GNU/Linux, *BSD (including Darwin) systems may be modified dynamically using sysctl, Solaris and HP-UX using ndd, IRIX with systune, AIX with no, and Windows with regedit. To force the modification to persist across reboots, the appropriate configuration file (sysctl.conf, rc.conf, system) must be updated.

Author: Lyle Tagawa
  Date: 2004/11/04 18:52:01
$Date: 2009/10/26 23:37:24 $ $Revision: 1.4 $ - Added OpenBSD, NetBSD, MacOSX

network performance
TCP SYN cookiesSYN Cookies are the key element of a technique used to guard against SYN flood attacks. Daniel J. Bernstein, the technique's primary inventor, defines SYN Cookies as "particular choices of initial TCP sequence numbers by TCP servers." In particular, the use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. http://cr.yp.to/syncookies.html http://support.microsoft.com/default.aspx?scid=kb;en-us;315669	net.inet.tcp.syncookies=1 (1)FreeBSD 4.x net.inet.tcp.syncachelimit (10255)OpenBSD net.inet.tcp.synbucketlimit (105)OpenBSD net.ipv[46].tcp_syncookies=1 (0)GNU/Linux 2.4.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect Dword:2 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxPortsExhausted Dword:5 (5)Windows 2000
TCP max SYN backlogMaximum number of pending connection requests	kern.ipc.somaxconn=4096 (128)FreeBSD 4.x net.ipv4.tcp_max_syn_backlog=4096 (256)GNU/Linux 2.2.x net.ipv4.tcp_max_syn_backlog=4096 (1024)GNU/Linux 2.4.x tcp_conn_req_max_q0=4096 (128)Solaris 2.5.1 tcp_conn_req_max_q0=4096 (1024)Solaris 2.6 HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog Dword:1 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog Dword:20 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog Dword:20000 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta Dword:10 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen Dword:500 (100)Windows NT 3.51 tcp_syn_rcvd_max=4096 (500)HP-UX 11.00
TCP max connectionsMaximum number of remembered connection requests	kern.ipc.somaxconn=4096 (128)FreeBSD 4.x, Mac OS X tcp_conn_req_max_q=4096 (128)Solaris 2.5.1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections Dword:16777214 (16777214)Windows 2000
TCP SYN-ACK retriesNumber of times SYNACKs for a passive TCP connection attempt will be retransmitted	net.ipv4.tcp_synack_retries=4 (5)GNU/Linux 2.4.x tcp_rexmit_interval_initial 3000 (3000)Solaris 2.5.1 tcp_rexmit_interval_min 3000 (200)Solaris 2.5.1 tcp_rexmit_interval_min 3000 (400)Solaris 2.8 tcp_rexmit_interval_max 240000 (240000)Solaris 2.6 tcp_rexmit_interval_max 240000 (60000)Solaris 2.8 tcp_ip_abort_interval 600000 (480000)Solaris 2.5.1 tcp_ip_abort_interval 600000 (120000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions Dword:2 (2)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRetransmissions Dword:2 (2)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions Dword:3 (5)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried Dword:190 (80)Windows 2000
TCP FIN-WAIT-2 timeoutTime to hold socket in state FIN-WAIT-2, the time spent waiting for the FIN packet following the initial (one-way) FIN+ACK. RFC 793	net.ipv4.tcp_fin_timeout=30 (60)GNU/Linux 2.4.x tcp_fin_wait_2_flush_interval=67500 (67500)Solaris 2.5.1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpFinWait2Delay Dword:30 (120)Windows 2000
TCP TIME_WAITTime to hold socket in state TIME-WAIT, which represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. RFC 793	(TCP_TIMEWAIT_LEN == 60*HZ)GNU/Linux 2.4.x net.ipv4.tcp_tw_reuse=1GNU/Linux 2.4.x net.ipv4.tcp_tw_recycle=1 (1)GNU/Linux 2.4.x tcp_close_wait_interval=60000 (240000 == 2MSL)Solaris 2.6 tcp_time_wait_interval=60000 (240000 == 2MSL)Solaris 7 tcp_time_wait_interval=60000 (60000)Solaris 9 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Dword:60 (240)Windows 2000 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Dword:60 (120)Windows XP/2003 tcp_2msl=60IRIX
TCP Maximum Segment LifeThis is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK RFC 1753	net.inet.tcp.msl=30000 (30000ms)FreeBSD 4.x net.inet.tcp.mslMac OS X
TCP KeepaliveTCP begins a countdown timer upon receipt of a TCP packet. When the keepalive timer reaches zero, a packet is sent to the peer requesting acknowledgement.	net.inet.tcp.keepintvlFreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.tcp_keepalive_time=3600 (2*60*60)GNU/Linux 2.4.x net.ipv4.tcp_keepalive_probes=9 (9)GNU/Linux 2.4.x net.ipv4.tcp_keepalive_intvl=75 (75)GNU/Linux 2.4.x tcp_keepalive_interval=3600000 (7200000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval Dword:1000 (1000ms)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime Dword:3600000 (7200000)Windows 2000
TCP window scalingThe TCP window scale option is an option to increase the TCP receive window size above its maximum value of 65,535 bytes. RFC 1323	net.inet.tcp.rfc1323=1 (1)FreeBSD 4.x, NetBSD 1.2 net.ipv4.tcp_window_scaling=1 (1)GNU/Linux 2.4.x tcp_wscale_always=1 (0; negotiated)Solaris 2.6 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts Dword:2 (0)Windows 2000
TCP send/receive window sizeThe theoretical value (in bytes) for [wstd] is bps / 8 * rtt, where bps is bandwidth in bits/second, rtt=round-trip-time, and wstd is the maximum size (in bytes) of the TCP window. http://proj.sunet.se/E2E/tcptune.html	net.inet.tcp.sendspace=32768FreeBSD 4.x, OpenBSD, Mac OS X net.inet.tcp.recvspace=32768 (57344)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.udp.sendspace=32768 (9216)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.udp.recvspace=32768 (42080)FreeBSD 4.x, OpenBSD, Mac OS X tcp_xmit_hiwat=32768 (8192)Solaris 2.x tcp_xmit_hiwat=32768 (16384)Solaris 2.8 tcp_recv_hiwat=32768 (8192)Solaris 2.x tcp_recv_hiwat=32768 (24576)Solaris 2.8 udp_xmit_hiwat=16384 (8192)Solaris 2.x udp_recv_hiwat=16384 (8192)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize (8760)Windows 2000 HKLM\System\CurrentControlSet\Services\VxD\MSTCP\DefaultRcvWindowWindows 2000
TCP delayed ACK A host that is receiving a stream of TCP data segments can increase efficiency in both the Internet and the hosts by sending fewer than one ACK (acknowledgment) segment per data segment received. RFC 1122	net.inet.tcp.delayed_ack=1FreeBSD, Mac OS X net.ipv4.tcp_delack_min=40 (40ms)FreeBSD tcp_deferred_ack_interval=200 (50)Solaris 2.x tcp_deferred_ack_interval=200 (100)Solaris 2.8
TCP selective ACKWith selective acknowledgments, the data receiver can inform the sender about all segments that have arrived successfully, so the sender need retransmit only the segments that have actually been lost. RFC 2018	net.inet.tcp.sack=1 (1)OpenBSD net.inet.tcp.sack?=1 (1)Mac OS X 10.4.6 net.inet.tcp.sack.enable=1 (1)FreeBSD 5.3 net.ipv4.tcp_dsack=1 (1)GNU/Linux 2.4.x net.ipv4.tcp_sack=1 (1)GNU/Linux 2.4.x tcp_sack_permitted=2 (2)Solaris 9 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Dword=1 (1)Windows 2000
network security
ARP cache cleanup interval	net.link.ether.inet.max_age=60 (1200)FreeBSD 4.x, Mac OS X arp_cleanup_interval=60000 (300000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpCacheLife Dword:60 (600)Windows 2000 arpt_killc=20AIX
Broadcast Proxy	net.ipv4.conf.all.bootp_relay=0GNU/Linux 2.4.x net.ipv4.conf.all.proxy_arp=0GNU/Linux 2.4.x ip_forward_directed_broadcasts=0 (1)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ForwardBroadcasts=0 (0)Windows 2000
IP max fragments	net.inet.(ip|ip6).maxfragpackets=16384 (16384)FreeBSD 4.x net.ipv[46].ipfrag_(low|high)_thresh=(?) (?)GNU/Linux 2.4.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableFragmentChecking Dword:1 (0)Windows 2000
IP reverse path filtering	net.ipv4.conf.all.rp_filter=1 (0)GNU/Linux 2.4.x net.ipv4.conf.default.rp_filter=1 (0)GNU/Linux 2.4.x ip_strict_dst_multihoming=1 (0)Solaris 2.x ip6_strict_dst_multihoming=1 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatching Dword:1Windows 2000
IP route flush interval	net.inet.(ip|ip6).rtexpire=? (?)FreeBSD 4.x ip_ire_flush_interval=60000 (1200000)Solaris 2.x ip_ire_arp_interval=60000 (1200000)Solaris 2.x
IP forwarding	net.inet.ip.forwarding=0 (1)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.conf.all.forwarding=0 (1)GNU/Linux 2.4.x net.ipv4.conf.default.forwarding=0 (1)GNU/Linux 2.4.x ip_forwarding=0 (2)Solaris 2.x ip_forwarding=0 (1)Solaris 2.8 ip6_forwarding=0 (1)Solaris 2.8 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter Dword:0 (0)Windows 2000
IP source routing	net.inet.ip.sourceroute=0 (0)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.ip6.sourceroute=0 (0)FreeBSD 4.x, OpenBSD net.inet.ip.accept_sourceroute=0FreeBSD 4.x, Mac OS X net.inet.ip6.accept_sourceroute=0FreeBSD 4.x net.ipv4.conf.all.accept_source_route=0 (1)GNU/Linux 2.x net.ipv4.conf.all.mc_forwarding=0 (0)GNU/Linux 2.x net.ipv[46].conf.all.forwarding=0 (0)GNU/Linux 2.x (ip|ip6)_forward_src_routed=0 (1)Solaris 2.x tcp_rev_src_routes=0 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting Dword:2 (1)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting Dword:2 (0)Windows 2003 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceRoute Dword:0Windows 2000 ipsrcroutesend=0AIX ipsrcrouteforward=0AIX ip_src_route_forward=0HP-UX
IP dead gateway detection	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect Dword:0 (1)Windows 2000
ICMP redirectICMP type 5 contains a redirect message to send data packets on alternative route. Disable ICMP redirects to disallow a rogue host to manipulate host routes (usually combined with ARP spoofing). RFC 792	net.inet.ip.redirect=0 (0)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.ip6.redirect=0 (0)FreeBSD 4.x, OpenBSD net.inet.icmp.drop_redirect=1 (0)FreeBSD 4.x, Mac OS X net.inet.icmp.log_redirect=1 (0)FreeBSD 4.x, Mac OS X net.inet.icmp.rediraccept=0OpenBSD net.inet6.icmp.rediraccept=0OpenBSD net.ipv[46].conf.all.(send|accept)_redirects=0 (1)GNU/Linux 2.4.x (ip|ip6)_ignore_redirect=1 (0)Solaris 2.x (ip|ip6)_send_redirects=0 (1)Solaris 2.x HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableICMPRedirect Dword:0 (1)Windows 2000 icmp_dropredirects=0IRIX ip_send_redirects=0HP-UX ipignoreredirects=1AIX ipsendredirects=0AIX
ICMP path MTU DiscoveryPath MTU discovery (PMTUD) is a technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. ICMP Type 3, Code 4 should be enabled to prevent "black hole connections" where "small" TCP packets are allowed, such as the 3-way handshake, but large data packets are lost. RFC 1191	net.inet.tcp.path_mtu_discovery=1 (1)FreeBSD, Mac OS X net.inet.ip.mtudisc=1 (1)NetBSD, OpenBSD net.ipv4.ip_no_pmtu_disc=0 (0)GNU/Linux 2.4.x ip_path_mtu_discovery=1 (1)Solaris 2.x tcp_mss_def_ipv4=536 (536)Solaris 2.8 tcp_mss_def_ipv6=1460 (1460)Solaris 2.8 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery Dword:1 (1)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUBHDetect Dword:0 (0)Windows 2000
ICMP rate-limitFreeBSD option limits ICMP Unreachable and TCP RST pkts per second	net.inet.icmp.icmplim=50 (200)FreeBSD 4.x, MAC OS X net.inet.icmp.errppslimit=50OpenBSD, NetBSD net.inet6.icmp6.errppslimit=50OpenBSD, NetBSD net.ipv4.icmp_ratelimit=50 (100 == 1pps)GNU/Linux 2.4.x ip_icmp_err_interval=100 (100ms)Solaris 9 ip_icmp_err_burst=10 (10)Solaris 9
ICMP netmask requestICMP types 17 (netmask request); 18 (netmask response) contains the remote host's network mask (on the interface that processed the request) and can be used to accurately map your subnet structures, determining the broadcast addresses in use, and which routers are responsible for which subnets.	-A input -p icmp --icmp-type address-mask-request -j DROPGNU/Linux 2.4.x -A output -p icmp --icmp-type address-mask-reply -j DROPGNU/Linux 2.4.x net.inet.icmp.maskrepl=0 (?)FreeBSD 4.x, NetBSD, OpenBSD, Mac OS X ip_respond_to_address_mask_broadcast=0 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskReply Dword:0 (0)Windows 2000 no ip mask-replyCisco IOS icmpaddressmask=0AIX ip_respond_to_address_mask_broadcast=0HP-UX
ICMP broadcast echo request IP directed broadcast	net.inet.icmp.bmcastecho=0 (1)FreeBSD 4.x, Mac OS X net.inet.ip.directed-broadcast=0 (0)NetBSD, OpenBSD net.ipv4.icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x (ip|ip6)_respond_to_echo_broadcast=0 (1)Solaris 2.x ip_respond_to_echo_broadcast=0 (1)Solaris 2.x ip6_respond_to_echo_multicast=0 (1)Solaris 2.x allow_brdaddr_srcaddr=0IRIX directed_broadcast=0AIX bcastping=0AIX ip_forward_directed_broadcasts=0HP-UX ip_respond_to_echo_broadcast=0HP-UX
ICMP broadcast mask requests	net.inet.icmp.masqrepl=0 (?)FreeBSD 4.x net.ipv[46].icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x ip_respond_to_address_mask_broadcast=0 (?)Windows 2000
ICMP broadcast timestamp requests	net.inet.icmp.maskrepl=0FreeBSD 4.x net.ipv4.icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x ip_respond_to_timestamp_broadcast=0Solaris 2.x ip_respond_to_timestamp_broadcast=0HP-UX
ICMP timestampICMP Type 14, Code 0, consists of the originating timestamp sent by the sender of the ICMP Timestamp as well as a receive timestamp and a transmit timestamp.	net.inet.icmp.timestamp=0 (0)Mac OS X ip_respond_to_timestamp=0 (1)Solaris 2.x ip_respond_to_timestamp_broadcast=0 (1)Solaris 2.x
Invalid Protocol	net.inet.tcp.icmp_may_rst=0 (1)FreeBSD 4.x, Mac OS X net.inet.tcp.drop_synfin=1 (1)FreeBSD, Mac OS X net.ipv[46].conf.all.log_martians=0 (0)GNU/Linux 2.4.x net.ipv[46].conf.default.log_martians=0 (0)GNU/Linux 2.4.x net.ipv4.icmp_ignore_bogus_error_responses=1GNU/Linux 2.4.x
TCP/UDP packet received on a closed portTCP ACK, TCP RST, or ICMP Unreachable	net.inet.tcp.blackhole=2 (0)FreeBSD 4.x, Mac OS X net.inet.udp.blackhole=1 (0)FreeBSD 4.x, Mac OS X
Network MBUFs	kern.ipc.nmbclusters=65536 (NMBCLUSTERS)FreeBSD 4.x
Non-privileged port rangeDefines the local port range that is used by TCP and UDP	net.inet.ip.portrange.first=1024 (1024)FreeBSD 4.x, Mac OS X net.inet.ip.portrange.last=16383 (5000)FreeBSD 4.x, Mac OS X net.ipv4.ip_local_port_range=16384-65535 (32768-61000)GNU/Linux 2.4.x tcp_smallest_nonpriv_port=1024 (1024)Solaris 2.x udp_smallest_nonpriv_port=1024 (1024)Solaris 2.x tcp_smallest_anon_port=8192 (32768)Solaris 2.x tcp_largest_anon_port=65535 (65535)Solaris 2.x udp_smallest_anon_port=8192 (32768)Solaris 2.x udp_largest_anon_port=65535 (65535)Solaris 2.x
TCP initial sequence numbers	tcp_strong_iss=2 (1)Solaris 2.x
file system security/performance
Maximum inodes	fs.inode-max=131072GNU/Linux 2.2.x
Maximum file descriptors	kern.maxfiles=32768 (MAXUSERS == 2048)FreeBSD 4.x fs.file-max=32768 (8192)GNU/Linux 2.4.x rlim_fd_max=32768 (1024; > 2*tcp_conn_req_max)Solaris 2.x
information disclosure
IP default TTL	net.inet.ip.ttl=64 (64)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.ip_default_ttl=64 (64)GNU/Linux 2.4.x ip_def_ttl=64 (255)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL Dword:64 (128)Windows 2000
TCP TimestampingBugTraq: Obtaining System Uptime Remotely	net.inet.tcp.rfc1323=1 (1)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.tcp_timestamps=1 (1)GNU/Linux 2.4.x tcp_tstamp_always=0 (1)Solaris 2.x

The data was collected through various sources.

• W. Richard Stevens's TCP/IP Illustrated, Volume 1: The Protocols
• /usr/src/linux/Documentation/filesystems/proc.txt
• Oskar Andreasson's IP Sysctl Tutorial
• Adrian Chadd's sysctl descriptions
• Bob Cromwell's TCP/IP Stack Hardening
• Jens-S. Vëckler's Solaris 2.x - Tuning Your TCP/IP Stack
• D. J. Bernstein's SYN cookies
• SUNET's TCP Tuning parameters for different OS:es
• PSC's Enabling High Performance Data Transfers
• PSC's Enabling High Performance Data Transfers (Historical)
• How to harden the TCP/IP stack against denial of service attacks in Windows
• Microsoft TCP/IP configuration parameters