How to: Strengthen TCP / IP Stack Security
Update Date: April 12, 2004
source:
http://www.microsoft.com/china/technet/security/guidance/secmod109.mspx
This page
How to apply this module Summary Essential knowledge against SYN attacks against ICMP attacks against SNMP attack AFD.sys Protection Other Protection Defects Other Resources
aims
Using this module can be implemented:
•
Strengthen the server's TCP / IP stack security
•
Protect server from "denial service" and other network-based attacks
•
Enable SYN flood attack protection when the attack is detected
•
Set threshold for confirming what constitutes an attack
Back to top
Scope of application
This module is suitable for the following products and technologies:
•
Microsoft Windows 2000 Server and Windows 2000 Advanced Server
Back to top
How to use this module
By default, some registry entries and values in this module may not exist. In these cases, create these registry keys, values, and numerical data.
For more information on the registry of the Registry of the TCP / IP network settings for Windows 2000, see the White Paper "Microsoft Windows 2000 TCP / IP IMPLEMENTATION DETAILS", the URL is http://www.microsoft.com/technet/treeView/default.asp URL = / tech / itSolutions / network / deploy / deco / tcpip2k.asp (English)
Note: These settings modify the working mode of TCP / IP on the server. The feature of the web server will determine the best threshold for triggering the rejection service countermeasure. For client connections, some values may be too strict. These recommendations are subject to these recommendations before deploying the recommendations of this module to the product server.
Back to top
Summary
The TCP / IP stack is responsible for processing incoming and outgoing IP packets and routes data in packets to the application to process. By default, TCP / IP is born is an unsafe protocol. However, the Microsoft® Windows® 2000 version allows you to configure its operations to defend most denial of service attacks in the network level.
This module explains how to enhance the security of TCP / IP stacks, and how to configure various TCP / IP parameters in the Windows registry to protect the server from network-level denial of service attacks, including Sys flood attacks, ICMP attacks, and SNMP attacks.
Back to top
Prerequisite
Various TCP / IP parameters can be configured within the Windows registry to protect the server from the network level denial of service attack, including SYS flood attack, ICMP attack, and SNMP attacks. You can configure the registry key to:
•
Enable the SYN flood attack protection mechanism when the attack is detected.
•
Set the threshold for confirming the constituent attack.
This "How to" introduce to the administrator to configure which registry entries and registry values to resist the network-based denial.
Note These settings modify the working mode of TCP / IP on the server. The feature of the web server will determine the best threshold for triggering the rejection service countermeasure. For client connections, some values may be too strict. These recommendations should be tested before the recommendations of this document are deployed to the product server.
TCP / IP is born is an unsafe protocol. However, the Windows 2000 version allows you to configure its operation to resist the network level denial of service attack. By default, some registry keys and values referenced in this "How" may not exist. In these cases, create these registry keys, values, and value data.
For more information on TCP / IP network settings for Windows 2000 registry, please refer to the White Paper "Microsoft Windows 2000 TCP / IP Implementation Details", URL is http://www.microsoft.com/technet/treeview/default. ASP? URL = / TechNet / ITSOLUTIONS / Network / Deploy / DEPOVG / TCPIP2K.ASP (English). Back to top
Resist SYN attack
SYN Attack utilizes security vulnerabilities in TCP / IP connection establishment mechanism. To implement the SYN flood attack, the attacker will use the program to send a large number of TCP SYN requests to fill the suspended link queue on the server. This will prohibit other users to establish a network connection.
To protect the network to defend the SYN attack, follow these common steps below (these steps will be described later in this document):
•
Enable SYN attack protection
•
Set SYN Protection Threshold
•
Set other protection
Enable SYN attack protection
Enable SYN Attack Protection Named Values below this registry key: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES.
Value Name: SYNATTACKPROTECT
Recommended value: 2
Valid value: 0 - 2
Note: TCP adjusts the retransmission of SYN-ACK. After configuring this value, the response to the connection timeout will be faster when you encounter a SYN attack. After the value exceeds TCPMAXHALFOPEN or TCPMAXHALFOENRETRIED, SYN attack protection will be triggered.
Set SYN Protection Threshold
The following value determines the threshold that triggers SYN protection. All registry items and values in this section are located below the registry key_local_machine / system / currentcontrolset / service. These registry items and values are:
•
Value Name: TCPMAXPORTSEXHAUSTED Recommended Value: 5 Valid value: 0 - 65535 Description: Specifies the threshold of the TCP connection request number that triggers SYN flood attack protection must exceed.
•
Value Name: TCPMaxHalfopen Recommended Numerical Data: 500 Valid Value: 100 - 65535 Description: After SYNATTACKPROTECT is enabled, this value specifies the threshold of the TCP connection number of SYN_RCVD state. After more than SYNATTACKPROTECT, SYN flood attack protection will be triggered.
•
Value Name: TCPMaxHalfopenretried Recommended Numerical Data: 400 Valid Value: 80 - 65535 Description: After the SYNATTACKPROTECT is enabled, this value specifies the threshold value of the TCP connection in the SYN_RCVD state that has been retransmitted at least once. After more than SYNATTACKPROTECT, SYN flood attack protection will be triggered.
Set other protection
All registry items and values in this section are located below the registry key_local_machine / system / currentcontrolset / service. These registry items and values are:
•
Value Name: TCPMAXConnectResponsereTransMissions Recommended value data: 2 Valid value: 0 - 255 Description: Control After responding to SYN request, the number of retransmissions of SYN-ACK before canceling the retransmission attempt.
•
Value Name: TCPMaxDataRetransmissions Recommended Numerical Data: 2 Valid value: 0 - 65535 Description: Specifies the number of times the TCP retransmit a data segment (not the connection request segment) before terminating the connection. •
Value Name: ENABLEPMTUDISCOVERY Recommended numerical data: 0 Valid value: 0, 1 Description: Set this value to 1 (default) to force TCP to find the maximum transfer unit or maximum data package size on the path to the remote host. Attackers may enforce the data package, which will override the stack. For connections not from the host from the local subnet, the value is specified as 0 to force the maximum transmission unit to 576 bytes.
•
Value Name: KeepaliveTime Recommended Numerical Data: 300000 Valid Value: 80 - 4294967295 Description: Specifies whether TCP attempts to verify that the idle connection is still not touched by sending a continuous surviving packet.
•
Value Name: NonameReleaseOndemand Recommended Numerical Data: 1 Valid value: 0, 1 Description: Specifies whether the computer publishes its NetBIOS name when receiving the name publishing request.
Use the values that are summarized in Table 1 to achieve maximum protection.
Table 1: Recommended value
Value Name Value (REG_DWORD) SynAttackProtect2TcpMaxPortsExhausted 1TcpMaxHalfOpen500TcpMaxHalfOpenRetried400TcpMaxConnectResponseRetransmissions 2TcpMaxDataRetransmissions 2EnablePMTUDiscovery 0KeepAliveTime 300000 (5 minutes) NoNameReleaseOnDemand 1
Back to top
Resist ICMP attack
The named value of this section is located below the registry key HKLM / System / CurrentControlSet / Services / AFD / parameters
Value: EnableicMpredirect recommended numerical data: 0 Valid value: 0 (disabled), 1 (Enabled) Description: By modifying this registry value to 0, it is possible to ban the creation of high-cost host routes when receiving the ICMP redirect packet. .
Using the values summarized in Table 2 can achieve maximum protection:
Table 2: Recommended value
Value name value (REG_DWORD) EnableicMpRedirect0
Back to top
Resist SNMP attack
The named value of this part is located below the registry key HKLM / System / CurrentControlSet / Services / TCPIP / Parameters.
Value: EnabledeDeadGwdetect recommended numerical data: 0 Valid value: 0 (disabled), 1 (Enabled) Description: Prohibited attacker force switch to the standby gateway
Use the values that are summarized in Table 3 to get the maximum protection:
Table 3: Recommended value
Value name value (REG_DWORD) enabledeadgwdetect0
Back to top
AFD.SYS protection
The following registration table item specifies the parameters of the kernel mode driver AFD.sys. Afd.sys is used to support Windows Sockets applications. All registry keys and values of this part are located below the registry key HKLM / System / CurrentControlset / Services / AFD / parameters. These registry items and values are:
•
Value EnableDynamicbackLog recommends numerical data: 1 Valid value: 0 (disabled), 1 (Enabled) Description: Specify the AFD.SYS function to effectively process a large number of SYN_RCVD connections. For more information, see "Internet Server Unavailable Because of Malicious Syn Attacks", the URL is http://support.microsoft.com/default.aspx?scid=kb;n-us;142641 (English). •
Value Name: Numerical data for MinimumDynamicbackLog recommends: 20 Valid values: 0 - 4294967295 Description: Specifies the minimum number of idle connections allowed on the endpoint of listening. If the number of idle connections is lower than this value, the thread will be queued to create more idle connections.
•
Value Name: MaximumDynamicbackLog recommends numerical data: 20000 Valid value: 0 - 4294967295 Description: Specify the maximum total of the connection in the SYN_RCVD state.
•
Value Name: DYNAMICBACKLOGGROWTHDELTA Recommended Numerical Data: 10 Valid Value: 0 - 4294967295 Whether the appearance is: No Description: Specifies the number of idle connections to be created when you need to add a connection.
Use the values that are summarized in Table 4 to get the maximum protection.
Table 4: Recommended value
Value name value (reg_dword) enabledynamicbacklog1minimummedynamicbacklog20maximumdynamicbacklog20000dynamicbackloggrowthDelta 10
Back to top
Other protection
All registry items and values of this part are located below the registry key HKLM / System / CurrentControlset / Services / Tcpip / Parameters.
Protective shielding network details
Network Address Translation (NAT) is used to open the network with incoming connection. An attacker may avoid this shield so that the network topology is determined using the IP source route.
Value: DISABLEIPSourceRouting Recommended Numerical Data: 1 Valid value: 0 (Forward all packets), 1 (no source routing packet), 2 (discard all incoming source routing packets). Description: Disable IP source routing, the latter allows the sender to confirm the route that the datagram should be used in the network.
Avoid accepting data packages
Handling a data packet segment can be costly. Although the denial service is rare from the peripheral network, this setting prevents processing packet segments.
Value: EnableFragmentChecking Recommended numerical data: 1 Valid value: 0 (disabled), 1 (Enabled) Description: The IP stack is prohibited from accepting a data packet.
Do not forward the packets to multiple hosts
Multicast packets may be responded by multiple hosts, resulting in a response to flooding the network.
Value: EnableMultiStForwarding Recommended Numerical Data: 0 Valid Range: 0 (FALSE), 1 (TRUE) Description: Routing Service Use this parameter to control whether to forward IP multicast. This parameter is created by routing and remote access services.
Only firewalls can forward packets between networks
Multi-Host Server Do not forward packets between the network it is connected. The obvious exception is a firewall.
Value: IpenAblerouter Recommended Numerical Data: 0 Valid Range: 0 (FALSE), 1 (TRUE) Description: Set this parameter to 1 (TRUE) to route the IP packet between the system it is connected. Shielding network topology detail
You can request the host's subnet mask using the ICMP packet. Leak only This information is harmless; however, you can use multiple host responses to understand the internal network.
Value: EnableadDrmaskReply Recommended Numerical Data: 0 Valid Range: 0 (FALSE), 1 (TRUE) Description: This parameter controls whether the computer responds to the ICMP address mask request.
Use the values that are summarized in Table 5 to get the maximum protection.
Table 5: Recommended value
Value Name Value (REG_DWORD) DisableipsourceRouting1enableFragmentChecking1ENABLEMULTICATIONFORWARDING 0IPENABLEROUTER0ENABLEADDRMASKREPLY0
Back to top
defect
When testing changes in these values, please refer to the network traffic expected in the product. These settings will modify the threshold for items that are considered normal and deviated from the test default value. Some thresholds may be reliably supported when the range is too small and cannot be reliably supported when the client's connection speed changes drastically.
Back to top
Other resources
For additional information about TCP / IP, please refer to the resource below:
•
For more information on strengthening TCP / IP stack, see Microsoft Knowledge Base Article 315669 How to: Harden The TCP / IP Stack Against Denial of Service Attacks in Windows 2000 (English).
•
For more information on Windows 2000 TCP / IP implementation, see "Windows 2000 TCP / IP Protocols and Services" (English) (Davies, Joseph and Lee, Thomas, Microsoft Press, 2000).
•
For more information on Windows 2000 TCP / IP implementation, see "Microsoft Windows 2000 TCP / IP IMPLEMENTATION DETAILS" on the Technet website, URL is http://www.microsoft.com/technet/treeview/default.asp?url= /TCHNET/ITSOLUTION/Network/Deploy/dePovg/tcpip2k.asp (English).
Back to top
