Prevent DDoS attacks do not necessarily use firewalls. One DDOS we can use the DOS command netstat -an | more or network integrated analysis software: Sniff, etc. to find the relevant attack technique,
Such as
Attack a major port, or the other party mainly comes from which port, the other party IP, etc. This allows us to use the W2K self-contained remote access to the tools that come out of their own self-contained tools, or IP policies. As you can't take these findings related to related data, we can also try to prevent DDoS attacks by providing security settings for the server. If you don't effectively solve the server settings, you can consider purchasing anti-DDoS firewalls. In fact, from the perspective of operating system, there are many functions, but a lot is to take us slowly. Here I will give you a brief introduction how to modify the registry, enhance the system's anti-DOS capabilities in the Win2000 environment.
Note that the following security settings are modified by the registry, which depends on the configuration of the server, especially the processing power of the CPU. If the security setting is performed according to the following, the two-way power 2.4G server configuration is used, and the test can withstand approximately 10,000 packages.
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters] 'Turn off the check of the invalid gateway. When the server sets a plurality of gateways, the system will try to connect the second gateway when the network is not smooth, and the network can be optimized by turning off it. "Enabledeadgwdetect" = dword: 00000000 'It is forbidden to respond to ICMP redirection packets. Such packets may be used to attack, so the system should refuse to accept ICMP redirection packets. "EnableicMpRedirects" = dword: 00000000 'does not allow the NetBIOS name. When an attacker issues a request for a query server NetBiOS name, you can make the server from respond. 'Note The system must install SP2 or more "NonameReleaseOndemand" = DWORD: 00000001' Send verification to maintain the activity packet. This option determines how much time TCP interval determines that the current connection is still connected, 'does not have this value, and the system checks if the TCP has an idle connection every 2 hours, where the set time is 5 minutes. "KeepaliveTime" = DWORD: 000493E0 'Disable the maximum packet length path detection. When this value is 1, the size of the packet that can be transmitted is automatically detected, 'can be used to improve transmission efficiency, such as failure or security, the setting value is 0, indicating the use of fixed MTU values 576bytes. "Enablepmtudiscovery" = dword: 00000000 'Start SYN attack protection. The default value is 0, indicating that the attack protection is not turned on, and the item value is 1 and 2 indicates that SYN attack protection is started. After setting 2, the 'security level is higher, and it is considered to be an attack, and it is necessary to attack the TCPMAXHALFOPEN. The conditions set with the TCPMaxHalfopenRetried value 'are triggered. It should be noted here that NT4.0 must be set to 1, set to 2, which will cause the system to restart under certain special data packets. "SYNATTACKPROTECT" = DWORD: 00000002 'simultaneously allows the open semi-connected number. The so-called semi-connected, indicating an uncompleted TCP session, which can be seen with the NetStat command to see the SYN_RCVD status'. Here, Microsoft recommended values, the server is set to 100, and the advanced server is set to 500. It is recommended to set a little bit a little. "TCPMAXHALFOPEN" = DWORD: 00000064 'Judging whether there is a trigger point of the attack. Here, Microsoft recommended values, servers are 80, and the advanced server is 400. "TCPMAXHALFOPENRETRIED" = dword: 00000050 'Set the SYN-ACK time. The default value is 3, the default process consumes 45 seconds. The item value is 2, the time consumption is 21 seconds. The 'item value is 1, the time consumption is 9 seconds. The minimum can be set to 0, indicating that it is not waiting, the time consumption is 3 seconds. This value can be modified according to the size of the attack. 'Microsoft Site Safety is recommended to 2. "TCPMAXCONNECTRESERETRANSMISSIONS" = dword: 00000001 'Sets the number of times the TCP retransmit a single data segment. The default value is 5, the default process consumption is over 240 seconds. Microsoft Site Safety is recommended to 3. "TCPMAXDATARETRANSMISSIONS" = DWORD: 00000003 'Sets the critical point of SYN attack protection.
When the available backlog becomes 0, this parameter is used to control the opening of SYN attack protection, and the Microsoft site is recommended to be 5. "TCPMAXPORTSEXHAUSTED" = DWORD: 00000005 'Disable IP source routing. The default value is 1, indicating that the transmission source routing package, the item value is set to 0, indicating all forwarding, set to 2, indicating that all acceptable 'source routing packages, Microsoft site security recommendation is 2. "DisableipsourceRunting" = dword: 0000002 'Limits the longest time in the Time_Wait state. The default is 240 seconds, the lowest is 30 seconds, up to 300 seconds. It is recommended to be 30 seconds. "Tcptimedwaitdelay" = dword: 0000001e [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NetBT / parameters] 'increases the increase in NetBT connection block. The default is 3, the ranges 1-20, the larger value, the greater the increase in performance. Each connection block consumes 87 bytes. "Backlogincrement" = dword: 00000003 'The maximum number of connected NetBTs is fast. Range 1-40000, here is set to 1000, the greater the value, the more connections are allowed to connect. "MaxConnBackLog" = dword: 000003E8 [HKEY_LOCAL_MACHINE / System / CurrentControlset / Services / AFD / parameters] 'Configuring Activation Dynamics Backlog. For systems that are busy or vulnerable to SYN attacks, it is recommended to set to 1, indicating that dynamic backlog is allowed. "EnableDynamicbacklog" = dword: 00000001 'Configure the minimum dynamic backlog. The default item value is 0, indicating the minimum number of free connections for dynamic backlog allocation. When the number of free connections is lower than this, the automatic allocation is free to connect. The default is zero, which is recommended to be 20 for systems that are busy or easy to suffer from SYN. "Minimumdynamicbacklog" = dword: 00000014 'maximum dynamic backlog. Represents the number of defined "quasi" connections, mainly watching memory size, theory every 32M memory can 'increase 5000, here is set to 2000. "MaximumDynamicbackLog" = dword: 00002e20 'Each time the free connection data is added. The default item value is 5, indicating that the number of free connections per increase is defined. For systems that are busy or easy to suffer from SYN attacks, it is recommended to set it to 10. "DynamicBackLogGrowthDelta" = dword: 0000000A The following sections need to manually modify according to actual conditions -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ------------- '[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / parameters]' Enable security filter on the NIC '"EnableSecurityFilters" = DWORD: 00000001' 'At the same time opened TCP connection Here, it can be controlled according to the situation.
