How to configure Windows server to cope with high concurrency and DDOS attacks

How to configure Windows server to cope with high concurrency and DDOS attacks
Windows systems have many mechanisms to improve performance and security, many of which can be used to cope with high-concurrency requests and DDOS attacks. The following configuration can be used to improve the performance of windows Servers: 1. Handle High-concurrency requests: 1. TCP connection delay wait time TcpTimedWaitDelay: this is the time that must pass before setting TCP/IP to release closed connections and reuse their resources. The time interval between disabling and releasing is generally referred to as the TIME_WAIT status or twice the maximum segment lifecycle (2MSL) status. In this period, the cost of re-opening a connection to the client and server is less than creating a new connection. Reduce the value of this entry to allow TCP/IP to release closed connections more quickly and provide more resources for new connections. If the running application needs to be quickly released and created, and there are many connections in TIME_WAIT, resulting in low throughput, adjust this parameter. The default value is 240 seconds. The minimum value is 30 seconds. The maximum value is 300 seconds. We recommend that you set the value to 30 seconds. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "TcpTimedWaitDelay" = dword: 0000001e 2. Maximum TCP port used for MaxUserPort: TCP client and server connection, the client must allocate a dynamic port. By default, the allocation range of this dynamic port is 1024-5000. That is to say, by default, the client can initiate a maximum of 3977 Socket connections at the same time. By modifying and adjusting the range of this dynamic port, you can improve the data throughput of the SYSTEM [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "MaxUserPort" = dword: 000 ffffe 3. Keep connection time KeepAliveTime: by default, Windows does not send active data packets, but some TCP packets may request active data packets. Attackers can establish a large number of connections to cause Server Denial of Service. Reducing the value of this parameter helps the system to quickly disconnect non-active sessions. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "KeepAliveTime" = dword: 000493e0 4. Maximum number of TCP Data Retransmissions TcpMaxDataRetransmissions this parameter controls the number of TCP Data Segment retransmissions before a connection exception is aborted. If the computer does not receive any confirmation message within this limit, the connection will be terminated. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "TcpMaxDataRetransmissions" = dword: 00000003 5. Maximum number of TCP connections TcpMaxConnectResponseRetransmissions this parameter sets the SYN-ACK wait time, it can be used to improve the network performance of the system. The default time is 3 and the consumption time is 45 seconds. The item value is 2 and the consumption time is 21 seconds. The item value is 1 and the consumption time is 9 seconds. The item value is 0, it indicates no wait, and the consumption time is 3 seconds. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "TcpMaxConnectResponseRetransmissions" = dword: 00000002 2. DDOS attacks: (including the preceding settings) 1. SYN Attack Protection SynAttackProtect: to prevent SYN attacks, the TCP/IP protocol stack of the Windows NT system is embedded with the SynAttackProtect mechanism. The SynAttackProtect mechanism is to disable some socket options, add additional connection indication and reduce the timeout, so that the system can process more SYN connections to prevent SYN attacks. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "SynAttackProtect" = dword: 00000002 2. Invalid Gateway Detection Function EnableDeadGWDetect: when multiple gateways are set on the server, when the network is not smooth, the system tries to connect to the second gateway. Allow automatic detection of invalid gateway can cause DoS. disabling it can defend against SNMP attacks and optimize the network. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "EnableDeadGWDetect" = dword: 00000000 3. ICMP Redirect function EnableICMPRedirect: whether to respond to ICMP redirect packets. ICMP redirection packets may be used for attacks. Therefore, the system should reject such packets to defend against ICMP attacks. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "EnableICMPRedirect" = dword: 00000000 4. IP Source Route restriction DisableIPSourceRouting: whether to disable the IP Source Route package, disabling can improve the IP source route protection level to prevent packet spoofing [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "DisableIPSourceRouting" = dword: 000000025. The routing discovery function implements mrouterdiscovery: ICMP route advertised packets can be used to increase route table records, which may cause DOS attacks. Therefore, route discovery is prohibited. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "Custom mrouterdiscovery" = dword: 00000000 [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ Interfaces] "Custom mrouterdiscovery" = dword: 00000000 6. The server name response function NoNameReleaseOnDemand allows computers to ignore NetBIOS name publishing requests except for Windows servers. When an attacker sends a request to query the server's NetBIOS name, the server is forbidden to respond. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "NoNameReleaseOnDemand" = dword: 00000001 7. The Internet group management protocol level IGMPLevel is used to control the extent to which the system supports IP multicast and Internet group management protocols. The default value is 2. You can send and receive multicast data. If the item value is 1, only multicast data can be sent. If the item value is 0, the multicast function is not supported. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] "IGMPLevel" = dword: 00000000 8. Anonymous access restriction RestrictAnonymous is used to disable anonymous access to view user lists and security permissions. Anonymous access allows the connector to establish an empty connection with the target host without the user name and password. With this empty connection, the connector can obtain the user list. With the user list, you can guess the password. [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] "restrictanonymous" = dword: 00000001