7.1.0 z/VM TCPIP SSTRESS DOS Attacks
With the upgrade to z/VM TCP/IP 7.1.0, you may start to see SSTRESS
Denial of Service (DOS) attacks being reported to the users in your
INFORM list:
* MSG FROM TCPIP : A denial-of-service attack has been detected
In addition, you may start receiving complaints indicating users are no longer able to connect to your TCP/IP servers.
A NETSTAT DOS command may show the following:
netstat dos
VM TCP/IP Netstat Level 710 TCP/IP Server Name: TCPIP
Maximum Number of Half Open Connections: 502
Maximum Number of Persist Connections: 251
Maximum Number of Connections Per Foreign IP Address: 25
Denial of service attacks:
Attacks Elapsed Attack
Attack IP Address Detected Time Duration
-------- --------------------------------------- --------- ------------ ------------
SSTRESS 9.60.28.105 3 0.00:00:14 0.00:00:08
In z/VM 7.10, the default value for the FOREIGNIPCONLIMIT statement has been changed from 100% of the TCBPOOLSIZE to 10%. You need to take a close look at this statement and determine what the appropriate value should be for your installation. Refer to Chapter 17: Configuring the TCP/IP server in the z/VM TCP/IP Planning and Customization Manual for details on this statement.
To make a change to this value without having to restart TCP/IP, issue:
NETSTAT OBEY FOREIGNIPCONLIMIT xx
Where xx is 0 (no limit), a whole number or a percentage of the TCBPOOLSIZE.
In order to make the change permanent, add the statement to the TCP/IP config file so the value is also changed when the TCP/IP stack is restarted.