LISTEN_TIMEOUT and MAX_INCOMPLETE_CONNECTIONS configuration parameters

You can use configuration parameters to reduce the risk of a hostile, denial-of-service (DOS) flood attack.

You can customize the following configuration parameters:
  • LISTEN_TIMEOUT. Sets the incomplete connection timeout period. The default incomplete connection timeout period is 60 seconds.
  • MAX_INCOMPLETE_CONNECTIONS. Restricts the number of incomplete requests for connections. The default maximum number of incomplete connections is 1024.

If you do not set the LISTEN_TIMEOUT and MAX_INCOMPLETE_CONNECTIONS configuration parameters and a flood of unauthorized attacks occurs, the Listener VP might become insecure and it might not be able to listen to a valid request in a timely manner.

If you set the LISTEN_TIMEOUT and MAX_INCOMPLETE_CONNECTIONS configuration parameters, and then someone tries to break into the system and reaches the maximum limit specified, the following information in the online message log is the notification that the system is under attack:
%d incomplete connection at this time. 
System is under attack through invalid clients 
on the listener port.

Depending on the machine capability of holding the threads (in number), you can configure MAX_INCOMPLETE_CONNECTIONS to a higher value and depending on the network traffic, you can set LISTEN_TIMEOUT to a lower value to reduce the chance that the attack can reach the maximum limit.

You can use the onmode -wm or onmode -wf commands to change the values of these configuration parameters while the server is online. For more information, see the Informix® Administrator's Reference.