A simple tutorial on the registry setting for preventing DDoS attacks under Windows2003

Windows Registry Editor Version 5.00

The code is as follows	Copy Code
[Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters]

; Initiate SYN attack protection =================
; The default entry value is 0, which means that attack protection is not turned on, and entry values 1 and 2 indicate that SYN attack protection is initiated, and the security level is higher after 2.
To what extent it is considered an attack, it is necessary to trigger the boot according to the conditions set by the TcpMaxHalfOpen and tcpmaxhalfopenretried values below.
It is important to note that the NT4.0 must be set to 1, set to 2, and will cause the system to reboot under a particular packet of data.

The code is as follows	Copy Code
"SynAttackProtect" =dword:00000002

; The number of half-open connections allowed to open at the same time
The so-called semi-connection, which means that the TCP session is not fully established, the Netstat command can be seen in the SYN_RCVD state.
Here the Microsoft recommended value, the server is set to 100, and the Advanced Server is set to 500.

The code is as follows	Copy Code
tcpmaxhalfopen=dword:00000064

To determine whether there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the Advanced Server is 400.

The code is as follows	Copy Code
tcpmaxhalfopenretried=dword:00000050

; Set the wait syn-ack time. The default entry value is 3, which consumes 45 seconds of the default process.
The item value is 2 and consumes a time of 21 seconds. The item value is 1 and consumes 9 seconds. The minimum can be set to 0, which means no wait, and consumes a time of 3 seconds.
This value can be modified according to the size of the attack. Microsoft Site security recommended for 2.

The code is as follows	Copy Code
tcpmaxconnectresponseretransmissions=dword:00000001

The number of times the TCP heavy flyer data segment is set.
; The default entry value is 5, which consumes 240 seconds of the default process. Microsoft Site security recommended for 3.

The code is as follows	Copy Code
tcpmaxdataretransmissions=dword:00000003

; Set the critical point for SYN attack protection.
When the available backlog changes to 0 o'clock, this parameter is used to control the opening of SYN attack protection, and the Microsoft Site security recommendation is 5.

The code is as follows	Copy Code
tcpmaxportsexhausted=dword:00000005

; Gateway Related Settings =================
To turn off checks for invalid gateways.
When the server is set up with multiple gateways, the system tries to connect to the second gateway when the network is not clear, and can optimize the network by shutting it down.

The code is as follows	Copy Code
enabledeadgwdetect=dword:00000000

; The response to ICMP Redirect messages is prohibited. Such messages are likely to be used for attack, so the system should reject ICMP Redirect messages.

The code is as follows	Copy Code
enableicmpredirects=dword:00000000

; The NetBIOS name is not allowed to be released.
When an attacker issues a request to query the server NetBIOS name, the server can be prevented from responding. Note that the system must be installed SP2 above!

The code is as follows	Copy Code
nonamereleaseondemand=dword:00000001

; Send validation to keep active packets. This option determines how long the TCP interval is to determine that the current connection is still in a connected state
; If you do not set this value, the system checks TCP for idle connections every 2 hours, setting the time to 5 minutes.

The code is as follows	Copy Code
Keepalivetime=dword:000493e0

; The maximum packet length path detection is prohibited.
When the value is 1 o'clock, the size of the packet that can be transmitted is automatically detected and can be used to improve transmission efficiency.
, for failure or security, the set entry value is 0, indicating the use of fixed MTU value 576bytes.

The code is as follows	Copy Code
enablepmtudiscovery=dword:00000000

; Prohibit IP source routing. The default entry value is 1, which means that the originating routing package is not transferred.
The item value is set to 0, which means forwarding all, set to 2, which means that all accepted source routing packets are discarded, and the Microsoft Site security recommendation is 2.

The code is as follows	Copy Code
disableipsourcerouting=dword:0000002

; Limit the maximum time that is in the TIME_WAIT state.
; The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. The recommended setting is 30 seconds.

The code is as follows	Copy Code
tcptimedwaitdelay=dword:0000001e

; NetBT Related Settings =================

The code is as follows	Copy Code
[Hkey_local_machinesystemcurrentcontrolsetservicesnetbtparameters]

Increase the size of the connection block for NetBT.
; The default is 3, the range is 1-20, and the larger the number, the greater the performance when the connection increases. Each connection block consumes 87 bytes.

The code is as follows	Copy Code
backlogincrement=dword:00000003

The number of connections to maximum NetBT.
; Range 1-40000, set to 1000, the larger the number, the more connections are allowed.

The code is as follows	Copy Code
Maxconnbacklog=dword:000003e8

; Backlog Related Settings =================

The code is as follows	Copy Code
[Hkey_local_machinesystemcurrentcontrolsetservicesafdparameters]

; Configure activation dynamic backlog. For systems that are busy or susceptible to SYN attacks, the recommendation is set to 1, which indicates that dynamic backlog is allowed.

The code is as follows	Copy Code
enabledynamicbacklog=dword:00000001

; Configure minimum dynamic backlog. The default entry value is 0, which indicates the minimum number of free connections allocated by dynamic backlog.
When the number of free connections is below this number, the free connection is automatically allocated. The default value is 0, and it is recommended to set to 20 for systems that are busy or susceptible to SYN attacks.

The code is as follows	Copy Code
minimumdynamicbacklog=dword:00000014

; maximum dynamic backlog. Represents the number of defined maximum connections, mainly memory size
Theory: The maximum number of 32M memory can be increased by 5,000, this is set to 20000.

The code is as follows	Copy Code
Maximumdynamicbacklog=dword:00002e20

, each additional free connection data. The default entry value is 5, which defines the number of free connections that are added each time.
For systems that are busy or susceptible to SYN attacks, the recommended setting is 10.

The code is as follows	Copy Code
dynamicbackloggrowthdelta=dword:0000000a

The following sections need to be manually modified according to the actual situation, please do not execute the following reg file directly

Windows Registry Editor Version 5.00

The code is as follows	Copy Code
[Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters]

; Enable secure filtering on the network card

The code is as follows	Copy Code
enablesecurityfilters=dword:00000001

The number of TCP connections that are open at the same time, which can be controlled according to the situation.
"

The code is as follows	Copy Code
TcpNumConnections "=dword:000f4240

This parameter controls the size limit of the TCP Header table. On a machine with large amounts of RAM, adding this setting can improve response performance during a SYN attack.

The code is as follows	Copy Code
Tcpmaxsendfree=

The following notice to change their own network interface, to see which is currently used interface, generally through the configuration of IP to know.

The code is as follows	Copy Code
[hkey_local_machinesystemcurrentcontrolsetservicestcpipparametersinterfaces{modified to its own NIC interface}]

; The routing discovery feature is prohibited. ICMP routing notification packets can be used to increase the routing table record and can cause attacks, so routing discovery is prohibited.

The code is as follows	Copy Code
"PerformRouterDiscovery" =dword:00000000

Of course, the best case is to use the Linux system, in addition to the system itself, because there are more options available

Common DDoS attacks and defenses

Continue adhering to the 80sec "Know it then hack it", here is a brief discussion of DDoS attacks and defense issues. The full name of DDoS is a distributed denial of service attack, since the denial of service must be for some reason to stop the service, the most important is the most common reason is to take advantage of the limited resources of the service side, such a wide range of resources, can simply comb a request for normal completion of the process:

1 user enters the requested address in the client browser
2 The browser resolves the request, including analyzing DNS to identify the remote server address that needs to be reached
3 clear address after the browser and server services to try to establish a connection, try to establish connected packets through the local network, intermediate route finally hard to reach the target network and then reach the target server
4 after the network connection is established, the browser creates a different packet based on the request and sends the packet to a port on the server
5 ports are mapped to processes, and processes are accepted into the packet for internal parsing
6 request various resources within the server, including backend APIs and some databases or files, etc.
7 after the logical processing is completed, the packet is returned to the user's browser through the previously established channel, and the browser completes the parsing and the request completes.

Each of these points can be used for DDoS attacks, including:

1 Some famous clients hijack virus, still remember to visit Baidu to jump Sogou thing? ：）
2 A DNS hijacking event in a large Internet company, or a direct large number of DNS requests that directly attack a DNS server, can be used to mitigate this problem using professional Third-party DNS services such as Dnspod
3 using network resources to establish network connectivity to attack server bandwidth so that normal packets can not reach a flood attack such as UDP, consumption of front-end equipment CPU resources so that packets can not effectively forward such as ICMP and some of the debris packet flood attacks, consuming server to establish a normal connection needs of resources such as SYN Flood or even a large number of connections makes a normal connection impossible to initiate, such as the TCP flood
4 using some of the characteristics of webserver attack, compared to Nginx, Apache processing a request is more cumbersome process.
5 using some of the features inside the application to attack the internal resources such as MySQL, backend resource-consuming interface, etc., this is the traditional meaning of the CC attack.

This involves the concept of attack and defense, but in fact, if you understand each other's attacks and attacks, the defense will become a simple process of pooling resources, do not use your weakest place to fight against others the strongest place, should start from the most appropriate place to solve the problem, For example, in routers and other devices to solve the application layer attack is not a good way, similarly, in the application layer to try to solve the problem of the network layer is also impossible, simply, the goal is only to allow normal data and requests into our services, a sound defense system should consider the following aspects:

1 as a user-requested entry, must have good DNS defenses
2 Bandwidth resources that match your value, and a defensive strategy for the application layer on the core node, allowing only your normal application network packets to enter, such as blocking all packets except 80.
3 a machine cluster that supports your service value to withstand the pressure of the application layer, it is necessary to continue to decompose an HTTP request, the process of establishing the connection to the pressure of the rest of the cluster, there seems to be a general hardware firewall to do this thing, and even the normal HTTP request parsing process are decomposed, Guaranteed to arrive at the back end of the normal request, remove the abnormal request, the normal request frequency and other behavior of the record and monitoring, once the exception is here for application layer of the ban

Each company has its own evaluation of its own value to determine the size of the security investment, each attack also involves the existence of a benefit, just as the defense is inherently weak for a variety of reasons, such as lack of commitment and imperfections in the implementation process, as well as innate weaknesses, Because each attack involves a different link, each link can be done by different levels of people, he has resources, he used the tools and techniques are not perfect, so it is possible to defend, in addition, I believe that the DDoS attack is a fixed industry, there will be some fixed crowd, The technologies, tools, resources, and interest chains used in them are relatively fixed, the opposite is the lack of communication between enterprises, and it is more difficult for individual enterprises to fight against an industry, and if every enterprise can share its experience of attack, including the size and IP distribution of botnets, The characteristics of attack tools, even the ability to analyze the interests behind and operators, then each attack can make everyone's overall defensive ability to rise, so that the attacker's ability to attack a loss, we are willing to do this thing.