7.1.0 z/VM TCPIP SSTRESS DOS Attacks

With the upgrade to z/VM TCP/IP 7.1.0, you may start to see SSTRESS Denial of Service (DOS) attacks being reported to the users in your INFORM list:

  * MSG FROM TCPIP : A denial-of-service attack has been detected

In addition, you may start receiving complaints indicating users are no longer able to connect to your TCP/IP servers.

A NETSTAT DOS command may show the following:

  netstat dos
  VM TCP/IP Netstat Level 710       TCP/IP Server Name: TCPIP
 
  Maximum Number of Half Open Connections: 502
  Maximum Number of Persist Connections: 251
  Maximum Number of Connections Per Foreign IP Address: 25
 
  Denial of service attacks:
                                                     Attacks      Elapsed       Attack
  Attack   IP Address                               Detected         Time     Duration
  -------- --------------------------------------- --------- ------------ ------------
  SSTRESS  9.60.28.105                                     3   0.00:00:14   0.00:00:08

In z/VM 7.10, the default value for the FOREIGNIPCONLIMIT statement has been changed from 100% of the TCBPOOLSIZE to 10%. You need to take a close look at this statement and determine what the appropriate value should be for your installation. Refer to Chapter 17: Configuring the TCP/IP server in the z/VM TCP/IP Planning and Customization Manual for details on this statement.

To make a change to this value without having to restart TCP/IP, issue:

  NETSTAT OBEY FOREIGNIPCONLIMIT xx

Where xx is 0 (no limit), a whole number or a percentage of the TCBPOOLSIZE.

In order to make the change permanent, add the statement to the TCP/IP config file so the value is also changed when the TCP/IP stack is restarted.