Modify the Registry to improve anti-DDoS capability of Windows

DOS and DDoS

I believe everyone will not be unfamiliar with these two terms. Yes, denial of service and distributed denial of service ).

The so-called denial-of-service refers to the fact that after a specific attack, the attacked object cannot provide the necessary services in a timely manner.

Website services cannot be provided, and email servers (SMTP, POP3) cannot provide functions such as sending and receiving letters. Basically, service attacks are often blocked by a large number of network packets, to paralyze the network and host of the other party, so that normal users cannot obtain the host's timely services.

Distributed Denial-of-Service (DoS) consumes available systems and network bandwidth with massive data packets that far exceed the target processing capability, resulting in Network Service paralysis.

It may be related to the media's excessive attention. DoS attacks, especially DDoS attacks, seem to become popular overnight. As long as the server fails, I was excited and shouted, "I got a DDoS attack! ", The face seems to be very glorious and proud.

In fact, there are not many DDoS attacks in the real sense around us. After all, a DDoS attack requires a lot of resources, but the actual attacks keep happening, the vast majority of attacks are common denial-of-service attacks. Common-level attacks and how to protect them have become the biggest headache for many network administrators. As a result, the results are often the same, "buy our hardware firewall ".

Hardware firewalls, including specialized anti-Denial-of-Service (DoS) products, are indeed good, but the basic prices are very expensive. Although the results are good, it is inevitable that the investment and protection investment will not be excessive.

In fact, from the operating system perspective, there are a lot of features in itself, but many of them need to be mined slowly. Here I will give you a brief introduction to how to modify the registry in the Win2000 environment to enhance the system's anti-dos capability.

Details:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters]

Disable the invalid gateway check. When the server is configured with multiple gateways, the system tries to connect to the second gateway when the network is not smooth. By disabling the gateway, the network can be optimized.

"EnableDeadGWDetect" = DWORD: 00000000.

Disable response to ICMP redirection packets. Such packets may be used for attacks, so the system should reject ICMP redirection packets.

"Enableicmpredirects" = DWORD: 00000000

NetBIOS name cannot be released. When an attacker sends a request to query the server's NetBIOS name, the server is forbidden to respond.

Note that SP2 and above must be installed in the system
"NoNameReleaseOnDemand" = DWORD: 00000001

Send verification keep activity data packets. This option determines the TCP interval to determine whether the current connection is still in the connection state. If this value is not set, the system checks whether there are idle TCP connections every two hours, set the time to 5 minutes.

"KeepAliveTime" = DWORD: 000493e0

Maximum package length path check is prohibited. When the value is 1, the size of the data packet that can be transmitted is automatically detected, which can be used to improve transmission efficiency. If a fault or security problem occurs, set the value to 0, indicates that a fixed MTU value of 576 bytes is used.

"Enablepmtudiscovery" = DWORD: 00000000

Enable SYN attack protection. The default value is 0, indicating that attack protection is not enabled. The values 1 and 2 indicate that Syn Attack Protection is enabled. After the value is set to 2, the security level is higher. under which circumstances is the attack considered as an attack, you need to trigger the startup according to the conditions set in the following tcpmaxhalfopen and TcpMaxHalfOpenRetried values. It should be noted that NT4.0 must be set to 1. If it is set to 2, the system will be restarted under a special data packet.

"SynAttackProtect" = DWORD: 00000002

The number of semi-connections that can be opened at the same time. The so-called semi-connection indicates a TCP session that is not fully established. The netstat command shows that the session is in the syn_rcvd state. Here, we recommend that you set the server to 100 and the Advanced Server to 500. It is recommended that you set it a little smaller.

"Tcpmaxhalfopen" = DWORD: 00000064

Determine whether an attack is triggered. The recommended value is Microsoft. The server is 80, and the Advanced Server is 400.

"TcpMaxHalfOpenRetried" = DWORD: 00000050

Set the wait SYN-ACK time. The default value is 3, which is 45 seconds by default. The item value is 2 and the consumption time is 21 seconds. The item value is 1 and the consumed time is 9 seconds. The minimum value can be set to 0, indicating no waiting. The consumed time is 3 seconds. This value can be modified based on the attack scale. 2 is recommended for Microsoft Site Security.

"TCPMaxConnectResponseRetransmissions" = DWORD: 00000001

Sets the number of TCP retransmission times for a single data segment. The default value is 5. By default, this process takes 240 seconds. 3 is recommended for Microsoft Site Security.

"TCPMaxDataRetransmissions" = DWORD: 00000003

Sets the critical point of SYN attack protection. When the available backlog becomes 0, this parameter is used to control the Enable of Syn attack protection. For Microsoft site security, 5 is recommended.

"TCPMaxPortsExhausted" = DWORD: 00000005

Disable IP source routing. The default value is 1, indicating that the source route package is not converted. If the value is set to 0, it indicates that all routes are forwarded. If it is set to 2, all accepted source route packages are discarded, 2 is recommended for Microsoft Site Security.

"Disableipsourcerouting" = DWORD: 0000002

The maximum time allowed to be in the time_wait status. The default value is 240 seconds. The minimum value is 30 seconds and the maximum value is 300 seconds. We recommend that you set it to 30 seconds.

"Tcptimedwaitdelay" = DWORD: 0000001e
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ netbt \ Parameters]

Increase the size of the netbt connection block. The default value is 3 and the value range is 1-20. The larger the value, the more connections, the higher the performance. Each connection block consumes 87 bytes.

"Backlogincrement" = DWORD: 00000003

The maximum number of fast netbt connections. The value range is 1-40000. Here it is set to 1000. A larger value allows more connections when more connections exist.

"Maxconnbacklog" = DWORD: 000003e8
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ AFD \ Parameters]

Configure to activate dynamic backlog. For systems that are busy or vulnerable to SYN attacks, we recommend that you set this parameter to 1 to allow dynamic backlogs.

"EnableDynamicBacklog" = DWORD: 00000001

Configure the minimum dynamic backlog. The default value is 0, indicating the minimum number of free connections allocated by dynamic backlog. When the number of free connections is lower than this value, free connections are automatically allocated. The default value is 0. for systems that are busy or vulnerable to SYN attacks, we recommend that you set this value to 20.

"Minimumdynamicbacklog" = DWORD: 00000014

Maximum dynamic backlog. This parameter defines the maximum number of "quasi" connections. It mainly depends on the memory size. Theoretically, a maximum of 5000 connections per 32 MB of memory can be increased. Set this parameter to 20000.

"Maximumdynamicbacklog" = DWORD: 1272e20

Each added free connection data. The default value is 5, indicating the number of free connections added each time. For systems that are busy or vulnerable to SYN attacks, we recommend that you set it to 10.

"DynamicBacklogGrowthDelta" = DWORD: 0000000a

　
Manually modify the following parts based on actual conditions:

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters]

Enable Security filtering on the NIC

"Enablesecurityfilters" = DWORD: 00000001

The number of TCP connections that are enabled at the same time, which can be controlled as needed.

"Tcpnumconnections" = this parameter controls the size limit of the TCP Header table. With a large number of Ram machines, this setting can improve the response performance during SYN attacks.

"Tcpmaxsendfree" = [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \
Interfaces \]

Disable route discovery. ICMP route advertised packets can be used to increase route table records, which can lead to attacks. Therefore, route discovery is prohibited.

"Initialize mrouterdiscovery" = DWORD: 00000000