Comprehensive defense against SYN Attacks

Abstract: This chapter only introduces some main aspects of hacker attacks at the basic layer, such as understanding the types and methods of hacker attacks, port and vulnerability scanning, and the TCP protocol for DoS attacks in Windows 2000/Server 2003. This article comprehensively defends against SYN attacks.
Comprehensive defense against SYN Attacks
SYN attacks exploit the security vulnerability in the TCP/IP connection establishment mechanism. To implement SYN flood attacks, attackers can use a program to send a large number of tcp syn requests to fill up the suspended connection queue on the server. This will prevent other users from establishing network connections. To protect the network from SYN attacks, follow these general steps.
(1) enable SYN attack protection.
(2) set the SYN protection threshold.
(3) set other protection.
The Registry configuration method described later in this section also applies to Windows 2000 and Windows Server 2003 systems.

1. SYN Attack Protection
To enable SYN attack protection, you need to set the following registry key (dubyte type ).
SynAttackProtect dubyte key value. The key value is located in the HKEY_LOCAL _ MACHINESYSTEMCurrentControlSetServices primary key of the Registry Editor and set it to "2" (valid value: 0 ~ 2 ).
The preceding settings Enable TCP to adjust the retransmission of the SYN-ACK. After this value is configured, the response to connection timeout will be faster in the case of SYN attacks. When the value of TcpMaxHalfOpen or TcpMaxHalfOpenRetried is exceeded, SYN Attack Protection is triggered. This registry entry has been introduced in the previous two sections and will not be repeated here. The following describes the SYN protection threshold.
2. Set the SYN protection threshold (1) TcpMaxPortsExhausted dubyte key value
In the Registry Editor, locate the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices primary key item, view the double-byte key value item named "TcpMaxPortsExhausted", and set its value to "5" (valid value: 0 ~ 65 535 ). This setting specifies the threshold of the number of TCP connection requests that must be exceeded to trigger SYN Flood Attack protection.
2) TcpMaxHalfOpen key value
In the same Services primary key in the registry editor, find the key value "TcpMaxHalfOpen" and set its value to "500" (valid value: 100 ~ 65 535 ). This setting is used to specify the threshold of TCP connections in the SYN_RCVD state after SynAttackProtect is enabled. When SynAttackProtect is exceeded, SYN Flood Attack protection is triggered.
3) TcpMaxHalfOpenRetried dubyte key-value item
Set the value of the TcpMaxHalfOpenRetried key value item to 400 (valid value: 80 ~ 65 535 ). This setting specifies the threshold of TCP connections in the SYN_RCVD state where at least one retransmission has been sent after the SynAttackProtect key value is enabled. If the SynAttackProtect value is exceeded, SYN Flood Attack protection is triggered.
3. Other protection items
All registry keys and values in this section are located under the HKEY_LOCAL_MACHINE SYSTEM CurrentControlSetServices primary key of the registry key.
Set the double-byte key value item "TcpMaxConnectResponseRetransmissions" to "2" (valid value: 0 ~ 255 ). This setting controls the number of retransmissions that the SYN-ACK responds to before a retransmission attempt is canceled after a SYN request is returned.
Set the value of the dubyte key value item "TcpMaxDataRetransmissions" to "2" (valid value: 0 ~ 65 535 ). This parameter specifies the number of times a data segment (not a connection request segment) is retransmitted by TCP before the connection is terminated.
Set the value of the key value item "EnablePMTUDiscovery" to "0" (valid value: 0, 1 ). Set this value to "1" (default) to force TCP to find the maximum transmission unit or maximum packet size on the path to the remote host. Attackers may forcibly segment data packets, which overloads the stack and sets it to "0 ". For connections from hosts that are not from the local subnet, set this value to 0 to forcibly set the maximum transmission unit to 576 bytes.
Set the value of the key value "KeepAliveTime" to "300 000" (5 minutes, valid value: 80 ~ 4 294 967 295 ). This setting specifies the frequency at which TCP attempts to verify that idle connections are still not touched by sending continuously alive packets.
Set the value of the key value item "NoNameReleaseOnDemand" to "1" (valid value: 0, 1 ). This setting specifies whether the computer publishes its NetBIOS name when receiving the name publishing request. Setting it to "1" indicates Publishing.
As shown in Table 3-2, the preceding key-value items need to be configured. These settings enable the server system to be protected by SYN attacks to the maximum extent.
Table 3-2 recommended registry keys against SYN Attacks