Defend against SYN attacks The SYN attack exploits the security vulnerabilities in the TCP/IP connection establishment mechanism. To implement a SYN flood attack, an attacker would use a program to send a large number of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing a network connection. To protect your network against SYN attacks, follow these general steps (these steps will be explained later in this document):
? |
Enable SYN attack protection |
? |
Set SYN protection threshold value |
? |
Set additional protection |
Enable SYN attack protectionThe named values that enable SYN attack protection are located under this registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Value name : synattackprotect Recommended value : 2 Valid values : 0–2 description : Enables TCP to adjust the retransmission of the syn-ack. When this value is configured, the response to the connection timeout is faster when a SYN attack is encountered. SYN attack protection is triggered after the value of tcpmaxhalfopen or tcpmaxhalfopenretried is exceeded. Set SYN protection threshold valueThe following values determine the threshold for triggering SYN protection. All the registry keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services . These registry keys and values are:
? |
Value name : tcpmaxportsexhausted Recommended value : 5 Valid values : 0–65535 Description : Specifies a threshold value for the number of TCP connection requests that must be exceeded to trigger the SYN flood attack protection. |
? |
Value name : tcpmaxhalfopen Recommended Value data : 500 Valid values : 100–65535 description : When synattackprotect is enabled, this value specifies the threshold for the number of TCP connections in the SYN_RCVD state. SYN flood attack protection will be triggered after the SynAttackProtect is exceeded. |
? |
Value name : tcpmaxhalfopenretried Recommended Value data : 400 Valid values : 80–65535 description : When synattackprotect is enabled, this value specifies the threshold for the number of TCP connections in the SYN_RCVD state at least one retransmission has been sent. SYN flood attack protection will be triggered after the SynAttackProtect is exceeded. |
Set additional protectionAll the registry keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services . These registry keys and values are:
? |
Value name : tcpmaxconnectresponseretransmissions Recommended Value data : 2 Valid values : 0–255 Description : Controls the number of retransmissions that syn-ack after a SYN request has been responded to, before canceling the retransmission attempt. |
? |
Value name : tcpmaxdataretransmissions Recommended Value data : 2 Valid values : 0–65535 Description : Specifies the number of times that TCP retransmissions a data segment (not a connection request segment) before terminating the connection. |
? |
Value name : enablepmtudiscovery Recommended Value data : 0 Valid values : 0, 1 Description : Setting this value to 1 (the default) forces TCP to find the maximum transmission unit or Maximum packet size on the path to the remote host. An attacker could force a packet to fragment, which could overwhelm the stack. For a connection that is not from a host on the local subnet, specify the value as 0 to force the maximum Transmission unit to 576 bytes. |
? |
Value name : keepalivetime Recommended Value data : 300000 Valid values : 80–4294967295 Description : Specifies the frequency at which TCP attempts to verify that an idle connection is still not touched by sending a continuously surviving packet. |
? |
Value name : NoNameReleaseOnDemand Recommended Value data : 1 Valid values : 0, 1 Description : Specifies whether the computer publishes its NetBIOS name when it receives a name publishing request. |
Use the values summarized in table 1 for maximum protection. Table 1: Recommended values
Value Name |
Value (REG_DWORD) |
SynAttackProtect |
2 |
TCPMaxPortsExhausted |
1 |
TcpMaxHalfOpen |
500 |
TcpMaxHalfOpenRetried |
400 |
TcpMaxConnectResponseRetransmissions |
2 |
TcpMaxDataRetransmissions |
2 |
EnablePMTUDiscovery |
0 |
KeepAliveTime |
300000 (5 mins) |
NoNameReleaseOnDemand |
1 |
back to top of pageProtection against ICMP attacksThe named values for this section are located below the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters value : enableicmpredirect Recommended Value data : 0 Valid values : 0 (Disabled), 1 (enabled) description : By modifying this registry value to 0, you can prevent the creation of high-cost host routes when ICMP redirection packets are received. Use the values summarized in table 2 to achieve maximum protection: Table 2: Recommended values
Value Name |
Value (REG_DWORD) |
EnableICMPRedirect |
0 |
back to top of pageProtect against SNMP attacksThe named values for this section are located below the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters . value : enabledeadgwdetect Recommended Value data : 0 Valid values : 0 (Disabled), 1 (enabled) Description : Prevents an attacker from forcing a switch to an alternate gateway Use the values summarized in table 3 to achieve maximum protection: Table 3: Recommended values
Value Name |
Value (REG_DWORD) |
EnableDeadGWDetect |
0 |
back to top of pageAFD. SYS ProtectionThe following registry key specifies the parameters for the kernel-mode driver Afd.sys. Afd.sys is used to support Windows Sockets applications. All registry keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters . These registry keys and values are:
? |
Value EnableDynamicBacklog Recommended Value data : 1 Valid values : 0 (Disabled), 1 (enabled) Description : Specify the AFD. SYS function to efficiently handle a large number of SYN_RCVD connections. For more information, see "Internet Server unavailable Because of malicious SYN Attacks", url http://support.microsoft.com/ default.aspx?scid=kb;en-us;142641(English). |
? |
Value name : minimumdynamicbacklog Recommended Value data : 20 Valid values : 0–4294967295 Description : Specifies the minimum number of idle connections allowed on the listening endpoint. If the number of idle connections falls below this value, the thread is queued to create more idle connections |
? |
Value name : MaximumDynamicBacklog Recommended Value data : 20000 Valid values : 0–4294967295 Description : Specifies the maximum total number of idle connections and connections in the SYN_RCVD state. |
? |
Value name : DynamicBacklogGrowthDelta Recommended Value data : 10 Valid values : 0–4294967295 whether it appears by default : No Description : Specifies the number of idle connections that will be created when a connection needs to be increased. |
Use the values summarized in table 4 to achieve maximum protection. Table 4: Recommended values
Value Name |
Value (REG_DWORD) |
EnableDynamicBacklog |
1 |
MinimumDynamicBacklog |
20 |
MaximumDynamicBacklog |
20000 |
DynamicBacklogGrowthDelta |
10 |
back to top of pageOther protectionAll registry keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters . Protect the network details of the ShieldNetwork address Translation (NAT) is used to mask the network from incoming connections. An attacker could circumvent this mask to use IP source routing to determine the network topology. value : disableipsourcerouting Recommended Value data : 1 Valid values : 0 (forwards all packets), 1 (does not turn originating routing packets), 2 (discards all incoming source routed packets). description : Disables IP source routing, which allows the sender to confirm the route the datagram should take in the network. Avoid accepting data fragments segmentsProcessing data fragments segments can be costly. Although denial of service is rarely from within the perimeter network, this setting prevents processing of packet fragments. value : enablefragmentchecking Recommended Value data : 1 Valid values : 0 (Disabled), 1 (enabled) Description : Prevents the IP stack from accepting packet fragments. Do not forward packets destined for multiple hostsMulticast packets can be responded to by multiple hosts, causing the response to overwhelm the network. value : enablemulticastforwarding Recommended Value data : 0 valid range : 0 (false), 1 (true) Description : The routing service uses this parameter to control whether IP multicasting is forwarded. This parameter is created by the Routing and Remote Access service. Only firewalls can forward packets between networksA multi-host server should never forward packets between the networks it is connected to. The obvious exception is the firewall. value : ipenablerouter Recommended Value data : 0 valid range : 0 (false), 1 (true) Description : Setting this parameter to 1 (true) causes the system to route IP packets between the networks to which it is connected. Masking network topology detailsYou can use ICMP packets to request the subnet mask of the host. It is harmless to leak this information only, but you can take advantage of the responses of multiple hosts to understand the internal network situation. value : enableaddrmaskreply Recommended Value data : 0 valid range : 0 (false), 1 (true) Description : This parameter controls whether the computer responds to ICMP address masking requests. Use the values summarized in table 5 to achieve maximum protection. Table 5: Recommended values
Value Name |
Value (REG_DWORD) |
DisableIPSourceRouting |
1 |
Enablefragmentchecking |
1 |
Enablemulticastforwarding |
0 |
IPEnableRouter |
0 |
Enableaddrmaskreply |
0 |
|