Microsoft Corporation
Please refer to the starting and complete outline of "Improved Web Application Security: Threats and Countermeasures".
Summary: You can configure a variety of TCP / IP parameters in the Windows registry to prevent attacks of network-level denial services, including SYN flood attacks, ICMP attacks, and SNMP attacks. You can configure the registry key to:
• When an attack is detected, the SYN flood protection is enabled. • Set the threshold for determining the feature of the attack.
This method document shows the administrator to configure the registry key and registry value to prevent the network-based denial service attack.
Note These settings modify the working mode of TCP / IP on the server. The characteristics of the web server will decide to trigger the best threshold for denial of service countermeasures. Some values may be very stringent for your client connection. Before deploying to the product server, test the recommendations of this document first.
This page
Preparatory knowledge prevents SYN attack to prevent ICMP attacks from preventing SNMP attacks AFD.sys Protect other protection defects other resources
Preparatory knowledge
TCP / IP is an inherent inquiry protocol. However, Windows 2000 implementation allows you to configure its operation to prevent denial of service attacks from the network. By default, some items and values involved herein may not exist. In these cases, create this item, value, or value data.
For more information on TCP / IP network settings for Windows 2000 registry, see the White Paper "Microsoft Windows 2000 TCP / IP Implementation Details", located at http://www.microsoft.com/technet/itsolutions/neetwork/deploy /Depovg/tcpip2k.asp.
Prevent SYN attack
SYN attacks use the security vulnerabilities in the TCP / IP connection establishment mechanism. To launch SYN flood attacks, an attacker wants to use a program to send a large number of TCP SYN requests to populate the connection queue hang on the server. This will cause other users from establishing a network connection.
To prevent the network from being attacked by the SYN attack, follow the following general steps, these steps will be explained later in this document:
• Enabling SYN Attack Protection • Setting SYN Protection Threshold • Set other protection
Enable SYN attack protection
Enabling the named value of the SYN attack protection is located in the following registry key: HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services.
Value Name: SYNATTACKPROTECT
Recommended value: 2
Valid value: 0 - 2
Description: Causes TCP to adjust the reload of SYN-ACKS. If you configure this value, the timeout speed of the connection response will be faster when the SYN attack occurs. When TCPMaxHalfopen or TCPMaxHalFopenRetried value is triggered, the SYN attack is triggered.
Set SYN Protection Threshold
The following value determines the threshold for the SYN protection to trigger. All items and values in this section are in the registry key_local_machine / system / currentControlSet / Services. These items and values are as follows:
• Value Name: TCPMAXPORTSEXHAUSTED Recommended Value: 5 Valid: 0-65535 Description: Specifies the threshold of the TCP connection request, must exceed this threshold to trigger SYN flood protection. • Value Name: TCPMaxHalfopen Recommended Value Data: 500 Valid Value: 100-65535 Description: When SYNATTACKPROTECT is enabled, the value specifies the threshold of the TCP connection in the SYN_RCVD state. When SYNATTACKPROTECT is exceeded, SYN flood protection is triggered. • Value Name: TCPMaxHalfopenRetried Recommended Value Data: 400 Valid Value: 80-65535 Description: When SYNATTACKPROTECT is enabled, this value specifies the threshold of the TCP connection in the SYN_RCVD state, where at least once reloaded. When SYNATTACKPROTECT is exceeded, SYN flood protection is triggered. Set other protection
All items and values in this section are in the registry key_local_machine / system / currentControlSet / Services. These items and values are as follows:
• Value Name: TCPMAXConnectResPonseretransmissions Recommended Value Data: 2 Valid Value: 0-255 Description: Control The number of SYN-ACKs must be re-transmitted before the cancel attempt response SYN request. • Value Name: TCPMaxDataRetransmissions Recommended Value Data: 2 Valid Value: 0-65535 Description: Specifying TCP Before the connection is aborted, the number of times to reload separate data dishes (not the connection request piece). • Value Name: EnablepmTUDISCOVERY Recommended value data: 0 Valid value: 0, 1 Description: When this value is set to 1 (default), it will force TCP to find the maximum transmission unit or maximum data package size on the path to the remote host. . An attacker may force packet segmentation, causing high stack load. Setting this value to 0 will force the host connection of the local subnet to use 576 bytes of MTU. • Value Name: KeepaliveTime Recommended Value Data: 300000 Valid Value: 80-4294967295 Description: Specifies whether the TCP attempts to verify whether the idle connection is still properly sealed by sending the active packet. • Value Name: NonameReleaseOndemand Recommended value data: 1 Valid value: 0, 1 Description: When the computer receives the name release request, specify the NetBIOS name of the computer.
Please use the value summarized in Table 1 to establish maximum protection.
Table 1 Name Value recommended value (REG_DWORD) SynAttackProtect 2 TcpMaxPortsExhausted 1 TcpMaxHalfOpen 500 TcpMaxHalfOpenRetried 400 TcpMaxConnectResponseRetransmissions 2 TcpMaxDataRetransmissions 2 EnablePMTUDiscovery 0 KeepAliveTime 300000 (5 minutes) NoNameReleaseOnDemand 1
Prevent ICMP attack
The value specified in this section is located at the registry key HKLM / System / CurrentControlSet / Services / AFD / Parameters Under the value: enableicmpredirect
Recommended value data: 0
Valid value: 0 (disabled), 1 (enabled)
Description: Modify the registry value to 0 can prevent the high host route when receiving the ICMP redirect packet.
Please use the value summarized in Table 2 to establish maximum protection.
Table 2 Recommended value value name value (reg_dword) enableicmpredirect 0
Prevent SNMP attack
The value specified in this section is under the registry key HKLM / System / CurrentControlSet / Services / TCPIP / Parameters.
Value: enabledeadgwdetect
Recommended value data: 0
Valid value: 0 (disabled), 1 (enabled)
Description: Prevent attackers from force switch to the secondary gateway
Please use the value summarized in Table 3 to establish maximum protection.
Table 3 Recommended value value name value (reg_dword) enabledeadGwdetect 0
AFD.SYS protection
The following item specifies the parameters of the kernel mode driver AFD.SYS. Afd.sys is used to support Windows socket applications. All items and values in this section are in the registry key HKLM / System / CurrentControlSet / Services / AFD / parameters. These items and values are as follows:
• Value: EnableDynamicbackLog Recommended value data: 1 Valid value: 0 (disabled), 1 (Enabled) Description: Specify the AFD.SYS function to effectively resist a large number of SYN_RCVD connections. For more information, see "Internet Server Unavailable Because of Malicious Syn Attacks", located at http://support.microsoft.com/default.aspx?scid=kb;n-us; 142641. • Value Name: Minimum Data: 20 Valid value: 0-4294967295 Description: Specifies the minimum number of available connections allowed on the endpoint. If the number of available connections is lower than this value, the thread will be discharged into the queue to create additional available connections. • Value Name: MaximumDynamicbackLog Recommended Value Data: 20000 Valid Value: 0-4294967295 Description: Specifies the maximum number of connections in the SYN_RCVD state in the specified connection. • Value Name: DynamicBackLogGrowTHDELTA Recommended Value Data: 10 Valid: 0-4294967295 Default To the existence: NO Description: Specify the number of available connections that will be created when other connections are required.
Please use the value summarized in Table 4 to establish maximum protection.
Table 4 Recommended Value Value Name Value (REG_DWORD) EnableDynamicbackLog 1 Minimum DynamicbackLog 20 MaximumDynamicbackLog 20000 DynamicbackLogGrowTHDELTA 10
Other protection
All items and values in this section are located in the registry key HKLM / System / CurrentControlSet / Services / TCPIP / parameters.
Protection Screening Network Details
Network Address Translation (NAT) is used to filter the network from incoming connection. Attackers can use IP source routing to avoid this filtering to determine network topology. Value: disableipsourceerouting
Recommended value data: 1
Valid value: 0 (Forward all packets), 1 (not transferring the source routing packet), 2 (discard all incoming source routing packets).
Description: Disable IP source routing, the sender can use the IP source route to determine the route that the packet should be used through the network.
Avoid receiving segmented packets
The cost of processing the segmentation packet may be high. Although the rejection service is extremely from the inside of the peripheral network, this setting can prevent the processing of segmentation packets.
Value: enablefragmentchecking
Recommended value data: 1
Valid value: 0 (disabled), 1 (enabled)
Note: Prevent IP stacks from accepting segments.
Do not send a data package to multi-host
Multi-host may respond to multicast packets, thereby causing a widely propagated response in the network.
Value: enablemulticastforwarding
Recommended value data: 0
Effective range: 0 (false), 1 (TRUE)
Description: Routing services use this parameter to control whether you want to forward IP multicast. This parameter is created by the route and the remote access service.
Only firewall forwarding packets between networks
The multi-master server cannot forward the packet between each network connected. The firewall is an obvious exception.
Value: iPenableRerouter
Recommended value data: 0
Effective range: 0 (false), 1 (TRUE)
Description: Set this parameter to 1 (true) to enable the system to route the IP packet in each network between connected.
Mask Network Topology Details
Use the ICMP packet to request the subnet mask of the host. It is not an inclapse itself; however, the response of a multi-host may be used to build an internal network information.
Value: enableaddrmaskReply
Recommended value data: 0
Effective range: 0 (false), 1 (TRUE)
Description: This parameter controls whether the computer responds to the ICMP address mask request.
Please use the value summarized in Table 5 to establish maximum protection.
Table 5 Recommended Value Name Value (REG_DWORD) DisableipsourceRouting 1 EnableFragmentChecking 1 EnableMulticastForwarding 0 iPenablerOwrouter 0 enableaddrmaskReply 0
defect
When you test these values, please test according to the network volume you are using in the production. These settings will modify the threshold that is considered normal and deviates from the default value of the test. If the connection speed of each client is very different, some settings may be too narrow and unable to support the client.
Other resources
For additional details on TCP / IP, please refer to the following resources:
