Anti-DDOS attack teaches you to enhance the system by modifying the Registry

To prevent DDOS attacks, you do not have to use a firewall. For a part of DDOS, we can use the doscommand netstat-an more or comprehensive network analysis software: sniff and so on. In this way, we can use tools that come with w2k, such as remote access and routing, or IP policies to address these attacks. We can also try to prevent DDOS attacks by setting security settings on the server. If you cannot effectively solve the problem by setting the server, you can purchase anti-DDOS firewall. In fact, from the operating system perspective, there are a lot of features in itself, but many of them need to be mined slowly. Here I will give you a brief introduction to how to enhance the system's anti-DoS capability by modifying the registry in the Win2000 environment.

Note that the following security settings are modified through the registry. The performance of the settings depends on the server configuration, especially the CPU processing capability. Perform the following security settings and configure a dual-channel Xeon 10 thousand GB server. After testing, the server can withstand attacks of about packets.

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]

Disable the invalid gateway check. When the server is configured with multiple gateways, the system will try to connect when the network is not smooth.

The second gateway can optimize the network by disabling it.

"EnableDeadGWDetect" = dword: 00000000.

Disable response to ICMP redirection packets. Such packets may be used for attacks, so the system should reject ICMP redirection packets.

"EnableICMPRedirects" = dword: 00000000

NETBIOS name cannot be released. When an attacker sends a request to query the server's NETBIOS name, the server is forbidden to respond.

Note that SP2 and above must be installed in the system

"NonameReleaseOnDemand" = dword: 00000001

Send verification keep activity data packets. This option determines the TCP interval to determine whether the current connection is still in the connection state. If this value is not set, the system checks whether there are idle TCP connections every two hours, set the time to 5 minutes.

"KeepAliveTime" = dword: 000493e0

Maximum package length path check is prohibited. When the value is 1, the size of the data packet that can be transmitted is automatically detected, which can be used to improve transmission efficiency. If a fault or security problem occurs, set the value to 0, indicates that a fixed MTU value of 576 bytes is used.

"EnablePMTUDiscovery" = dword: 00000000

Enable syn attack protection. The default value is 0, indicating that attack protection is not enabled. The values 1 and 2 indicate that syn Attack Protection is enabled, after which 2 is enabled.

The security level is higher. Under what circumstances should we consider it an attack, we need to trigger the startup according to the conditions set in the following TcpMaxHalfOpen and cpMaxHalfOpenRetried values. It should be noted that NT4.0 must be set to 1. If it is set to 2, the system will be restarted under a special data packet.

"SynAttackProtect" = dword: 00000002

The number of semi-connections that can be opened at the same time. The so-called semi-connection indicates a TCP session that is not fully established. The netstat command shows that the session is in the SYN_RCVD state. Here, we recommend that you set the server to 100 and the Advanced Server to 500. It is recommended that you set it a little smaller.

"TcpMaxHalfOpen" = dword: 00000064

Determine whether an attack is triggered. The recommended value is Microsoft. The server is 80, and the Advanced Server is 400.

"TcpMaxHalfOpenRetried" = dword: 00000050

Set the wait SYN-ACK time. The default value is 3, which is 45 seconds by default. The item value is 2 and the consumption time is 21 seconds. BBS.bitsCN.com Network Management Forum

The item value is 1 and the consumed time is 9 seconds. The minimum value can be set to 0, indicating no waiting. The consumed time is 3 seconds. This value can be modified based on the attack scale.

2 is recommended for Microsoft Site Security.

Sets the number of TCP retransmission times for a single data segment. The default value is 5. By default, this process takes 240 seconds. 3 is recommended for Microsoft Site Security.

"TcpMaxDataRetransmissions" = dword: 00000003

Sets the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the Enable of syn attack protection. For Microsoft site security, 5 is recommended.

"TCPMaxPortsExhausted" = dword: 00000005

Disable IP source routing. The default value is 1, indicating that the source route package is not converted. If the value is set to 0, it indicates that all packets are forwarded. If it is set to 2, it indicates that all accepted packets are discarded.

Source Route package. 2 is recommended for Microsoft Site Security.

"DisableIPSourceRouting" = dword: 0000002

The maximum time allowed to be in the TIME_WAIT status. The default value is 240 seconds. The minimum value is 30 seconds and the maximum value is 300 seconds. We recommend that you set it to 30 seconds.

"TcpTimedWaitDelay" = dword: 0000001e

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters]

Increase the size of the NetBT connection block. The default value is 3 and the value range is 1-20. The larger the value, the more connections, the higher the performance. Each connection block consumes 87 bytes.

"BacklogIncrement" = dword: 00000003

The maximum number of fast NetBT connections. The value range is 1-40000. Here it is set to 1000. A larger value allows more connections when more connections exist.

"MaxConnBackLog" = dword: 000003e8

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAfdParameters]

Configure to activate dynamic Backlog. If the network is busy or vulnerable to SYN attacks, we recommend that you set it to 1 to allow dynamic cklog.

"EnableDynamicBacklog" = dword: 00000001

Configure the minimum dynamic Backlog. The default value is 0, indicating the minimum number of free connections allocated by dynamic Backlog. When the number of free connections

If the number is lower than this value, free connections are automatically allocated. The default value is 0. for systems that are busy or vulnerable to SYN attacks, we recommend that you set this value to 20.

"MinimumDynamicBacklog" = dword: 00000014

Maximum dynamic Backlog. Indicates the maximum number of "quasi" connections, mainly depends on the memory size. Theoretically, the maximum memory size per 32 MB is acceptable.

Increase by 5000. Set this parameter to 20000. BBS.bitsCN.com Network Management Forum

"MaximumDynamicBacklog" = dword: 1272e20

Each added free connection data. The default value is 5, indicating the number of free connections added each time. For systems that are busy or vulnerable to SYN attacks, we recommend that you set it to 10.

"DynamicBacklogGrowthDelta" = dword: 0000000a

Manually modify the following parts based on actual conditions:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]

Enable Security filtering on the NIC

"EnableSecurityFilters" = dword: 00000001 number of TCP connections that are enabled at the same time. You can control the number of TCP connections as needed.

"TcpNumConnections" = this parameter controls the size limit of the TCP Header table. With a large number of RAM machines, this setting can improve the response performance during SYN attacks.

"TcpMaxSendFree" [HKEY_LOCAL_MACHINESYSTEMCurrentControlSet

ServicesTcpipParametersInterfaces]

Disable route discovery. ICMP route advertised packets can be used to increase route table records, which can lead to attacks. Therefore, route discovery is prohibited.