How to effectively resist DDoS

DDoS damage I'm not going to say it here.

We can reduce the damage caused by DDoS by correcting the registration form.

1) Set up a livelihood moment

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

DefaultTTL REG_DWORD 0-0xff (0-255 decimal, acquiescence value 128)

Clarification: Specifies the implied subsistence time (TTL) value set in outgoing IP packets. The TTL resolution is the maximum time for IP packets to make a living on the network before reaching a policy. It actually constrains the number of routers that the IP packet is allowed to pass before it is discarded. This value is sometimes used to explore long-distance host operating systems. I advocate setting it to 1 because this is the live time of ICMP packets. The smaller the other side with PING DDoS you, usually 1M bandwidth must be more than 100 chickens to end. You can fix it without correcting 20.

2) Avoid the invasion of ICMP redirect message

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

Enableicmpredirects REG_DWORD 0x0 (acquiescence value is 0x1)

Clarification: This parameter controls whether Windows 2000 can alter its routing table to echo ICMP redirects sent to it by a network device, such as a router, and is sometimes used to do bad things. The acquiescence value of the Win2000 is 1, indicating the echo ICMP redirect message.

3) Stop echoing ICMP routed billing message

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparametersinter

Facesinterface

PerformRouterDiscovery REG_DWORD 0x0 (acquiescence value is 0x2)

Clarified that the "ICMP Routing bulletin" function can form the abnormal network convergence of other people's computers, the data is overheard, and the computer is used for the serious consequences such as traffic invasion. This problem has caused the campus network some large area network, Long-time network anomaly. Therefore, it advocates the closed echo ICMP routing notice message. The acquiescence value in Win2000 is 2, indicating that when the DHCP Send router discovery option is enabled.

4 Avoid SYN flood to invade

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

SynAttackProtect REG_DWORD 0x2 (acquiescence value is 0x0)

Clarification: SYN-invasion maintenance includes cutting the number of syn-ack from scratch to cut the time allocated for resource preservation. Routing Cache Item resource allocation is deferred until the link stops. If the synattackprotect=2, then the AfD of the convergence instruction has been postponed to the three-way handshake end. Pay attention to, The maintenance mechanism will only adopt the approach when the TcpMaxHalfOpen and tcpmaxhalfopenretried settings are out of scale.

5 Stop the default sharing of C $ and d$

Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters

AutoShareServer, REG_DWORD, 0x0

6) Stop admin$ default sharing

Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters

AutoShareWks, REG_DWORD, 0x0

7) Constraint ipc$ default sharing

Hkey_local_machinesystemcurrentcontrolsetcontrollsa

RestrictAnonymous REG_DWORD 0x0 Default

0x1 Anonymous users cannot list native user lists

0x2 Anonymous users cannot connect with native ipc$

Clarify: Do not advocate the use of 2, or it may form some of your services can not be launched, such as SQL Server

8 does not support IGMP protocol

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

IGMPLevel REG_DWORD 0x0 (acquiescence value is 0x2)

Note: Remember that there is a bug in Win9x that you can correct the bug by using IGMP to make the other person blue and correcting the registry. Win2000 Although there is no such bug, IGMP is not necessary, so it can be removed. The route print will not be able to see the tired 224.0.0.0 after being changed to 0.

9 set ARP cache aging Time settings

Hkey_local_machinesystemcurrentcontrolsetservices:tcpipparameters

ArpCacheLife REG_DWORD 0-0xffffffff (number of seconds, acquiescence value 120 seconds)

ArpCacheMinReferencedLife REG_DWORD 0-0xffffffff (number of seconds, acquiescence value 600)

Clarify: If ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, The quoted or not quoted ARP cache entry expires after arpcachelife seconds. If the arpcachelife is less than ArpCacheMinReferencedLife, no citation expires after arpcachelife seconds, The citation expires after arpcacheminreferencedlife seconds. Each time an outbound packet is sent to the IP address of an item, the entries in the ARP cache are cited.

10) Stop dead Gateway monitoring skills

Hkey_local_machinesystemcurrentcontrolsetservices:tcpipparameters

EnableDeadGWDetect REG_DWORD 0x0 (acquiescence value is Ox1)

Clarification: If you set up multiple gateways, your machine will actively switch to a backup gateway if it is difficult to handle multiple connections. Sometimes it's not a good idea to stop dead gateway monitoring.

11 does not support routing function

Hkey_local_machinesystemcurrentcontrolsetservices:tcpipparameters

IPEnableRouter REG_DWORD 0x0 (acquiescence value is 0x0)

It is clarified that setting the value to 0x1 can make Win2000 have the function of routing, thus causing unnecessary problems.

12 The maximum value of the external port to enlarge the transform when doing NAT

Hkey_local_machinesystemcurrentcontrolsetservices:tcpipparameters

MaxUserPort REG_DWORD 5000-65534 (decimal) (acquiescence value 0x1388--decimal for 5000)

Clarified: When an application pleads with the number of user ports available from the system, this parameter manipulates the maximum number of ports used. Normally, a short port is allocated 1024-5000. When you set this parameter to a useful scale, you use the nearest useful value (5000 or 65534). When using NAT, it is advocated to enlarge the value point.

13) correcting the MAC address

Hkey_local_machinesystemcurrentcontrolsetcontrolclass

Locate the directory that is clarified as "Nic" in the right window.

Let's say {4d36e972-e325-11ce-bfc1-08002be10318}

Open, in the branch of its 0000,0001,0002 ... find the key value of "DriverDesc" for your network card, say "DriverDesc" value is "Intel 82559 Fast Ethernet LAN on Motherboard "Then create a new string value in the right window with the name" NetworkAddress ", the content is the Mac value you want, say" 004040404040 "and then restart the computer, Ipconfig/all see. Eventually, with a blackice on the wall, you should be able to rebel against the usual DDoS

This paper comes from http://www.mgddos.com (DDoS attack software)