How to enhance the TCP/IP stack

Document directory

• Enable SYN attack protection
• Set SYN protection threshold
• Set other protection

Microsoft Corporation

See the landing page to get the starting point and complete overview of improving Web Application Security: Threats and Countermeasures.

Abstract:You can configure various TCP/IP parameters in the Windows registry to prevent network-level DoS attacks, including SYN flood attacks, ICMP attacks, and SNMP attacks. You can configure the registry key as follows:

•	Enable SYN flood protection when an attack is detected.
•	Sets the threshold value used to determine the attack components.

This document shows the Administrator the Required Registry Key and registry value to prevent network-based Denial of Service (DoS) attacks.

NoteThese settings modify the way TCP/IP works on the server. The characteristics of web servers determine the optimal threshold value for triggering dos countermeasures. Some values may have very strict restrictions on your client connection. Before deploying the product server, test the suggestions in this document.

Content on this page

	Prerequisites
	Prevent SYN Attacks
	Prevent ICMP attacks
	Prevent SNMP attacks
	AFD. sys Protection
	Other protection
	Defects
	Other resources

Prerequisites

TCP/IP is an inherently insecure protocol. However, Windows 2000 enables you to configure operations to prevent network Denial-of-service attacks. By default, some items and values involved in this article may not exist. In these cases, create the item, value, or value data.

For more information about TCP/IP network settings controlled by the Windows 2000 registry, see the White Paper "Microsoft Windows 2000 TCP/IP Implementation Details" at http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2kasp.

Prevent SYN Attacks

SYN attacks exploit the security vulnerability in the TCP/IP connection establishment mechanism. To launch SYN flood attacks, attackers need to use a program to send a large number of tcp syn requests to fill the suspended connection queues on the server. This will prevent other users from establishing network connections.

To prevent SYN attacks, follow the following general steps, which will be explained later in this document:

•	Enable SYN attack protection
•	Set SYN protection threshold
•	Set other protection

Enable SYN attack protection

The name for enabling Syn Attack Protection is located in the following registry key:HKEY_LOCAL_MACHINE/system/CurrentControlSet/services.

Value Name:SynAttackProtect

Recommended values:2

Valid values:0-2

Note:Causes a re-transmission of the TCP adjusted SYN-ACKS. If you configure this value, when a SYN attack occurs, the connection response times out faster. When exceedingTcpmaxhalfopenOrTcpMaxHalfOpenRetriedThe SYN attack is triggered.

Set SYN protection threshold

The following values determine the SYN protection threshold to be triggered. All items and values in this section are in the RegistryHKEY_LOCAL_MACHINE/system/CurrentControlSet/services. These items and values are as follows:

•	Value Name:TCPMaxPortsExhausted Recommended values:5 Valid values:0-65535 Note:Specify the TCP Connection Request threshold. SYN flood protection is triggered only when the threshold is exceeded.
•	Value Name:Tcpmaxhalfopen Recommended value data:500 Valid values:100-65535 Note:EnableSynAttackProtectThis value specifies the TCP connection threshold in the syn_rcvd state. ExceedsSynAttackProtectSYN flood protection is triggered.
•	Value Name:TcpMaxHalfOpenRetried Recommended value data:400 Valid values:80-65535 Note:EnableSynAttackProtectThis value specifies the TCP connection threshold in syn_rcvd state, where at least one re-transmission has been performed. ExceedsSynAttackProtectSYN flood protection is triggered.

Set other protection

All items and values in this section are in the RegistryHKEY_LOCAL_MACHINE/system/CurrentControlSet/services. These items and values are as follows:

•	Value Name:TCPMaxConnectResponseRetransmissions Recommended value data:2 Valid values:0-255 Note:Controls the number of times the SYN-ACK was to be retransmitted Before canceling the attempt to respond to the SYN request +.
•	Value Name:TCPMaxDataRetransmissions Recommended value data:2 Valid values:0-65535 Note:Specifies the number of times TCP re-transmits individual data fragments (not connection request fragments) before terminating the connection.
•	Value Name:Enablepmtudiscovery Recommended value data:0 Valid values:0, 1 Note:When this value is set to 1 (default), TCP is forced to find the maximum transmission unit or maximum packet size in the path to the remote host. Attackers may force packet splitting, resulting in excessive stack load. Setting this value to 0 will force 576 bytes of MTU to be used for host connections that are not local subnets.
•	Value Name:KeepAliveTime Recommended value data:300000 Valid values:80-4294967295 Note:Specify the frequency at which TCP attempts to verify that idle connections are still intact by sending the keep active data packet.
•	Value Name:NoNameReleaseOnDemand Recommended value data:1 Valid values:0, 1 Note:When the computer receives a name release request, specify the NetBIOS Name of the computer.

Use the value summarized in Table 1 to create the maximum protection.

Recommended values in Table 1
Value Name	Value (REG_DWORD)
SynAttackProtect	2
TCPMaxPortsExhausted	1
Tcpmaxhalfopen	500
TcpMaxHalfOpenRetried	400
TCPMaxConnectResponseRetransmissions	2
TCPMaxDataRetransmissions	2
Enablepmtudiscovery	0
KeepAliveTime	300000 (5 minutes)
NoNameReleaseOnDemand	1

Prevent ICMP attacks

The value specified in this section is in the RegistryHKLM/system/CurrentControlSet/services/AFD/parametersLower

Value:EnableICMPRedirect

Recommended value data:0

Valid values:0 (disabled), 1 (Enabled)

Note:Changing the registry value to 0 can prevent creating a host route with high costs when an ICMP redirection packet is received.

Use the value summarized in Table 2 to create the maximum protection.

Table 2 Recommended values
Value Name	Value (REG_DWORD)
EnableICMPRedirect	0

Prevent SNMP attacks

The value specified in this section is in the RegistryHKLM/system/CurrentControlSet/services/TCPIP/parameters.

Value:EnableDeadGWDetect

Recommended value data:0

Valid values:0 (disabled), 1 (Enabled)

Note:Prevents attackers from forcibly switching to secondary gateways.

Use the values summarized in Table 3 to create the maximum protection.

Table 3 recommended values
Value Name	Value (REG_DWORD)
EnableDeadGWDetect	0

AFD. sys Protection

The following items specify the parameters of the kernel mode driver AFD. sys. AFD. sys is used to support Windows Socket applications. All items and values in this section are in the RegistryHKLM/system/CurrentControlSet/services/AFD/parameters. These items and values are as follows:

•	Value:EnableDynamicBacklog Recommended value data:1 Valid values:0 (disabled), 1 (Enabled) Note:Specify the AFD. sys function to effectively defend against a large number of syn_rcvd connections. For more information, see Internet server unavailable because of malicous SYN attacks in http://support.microsoft.com/default.aspx? SCID = kb, en-US, 142641.
•	Value Name:Minimumdynamicbacklog Recommended value data:20 Valid values:0-4294967295 Note:Specifies the minimum number of available connections allowed on the listener endpoint. If the number of available connections is lower than this value, the thread is queued to create other available connections.
•	Value Name:Maximumdynamicbacklog Recommended value data:20000 Valid values:0-4294967295 Note:Specify the maximum number of available connections plus the total number of connections in the syn_rcvd state.
•	Value Name:DynamicBacklogGrowthDelta Recommended value data:10 Valid values:0-4294967295 The default value is:No Note:Specify the number of available connections that will be created when other connections are required.

Use the values summarized in table 4 to create the maximum protection.

Table 4 recommended values
Value Name	Value (REG_DWORD)
EnableDynamicBacklog	1
Minimumdynamicbacklog	20
Maximumdynamicbacklog	20000
DynamicBacklogGrowthDelta	10

Other protection

All items and values in this section are in the RegistryHKLM/system/CurrentControlSet/services/TCPIP/parameters.

Protect the detailed information of the filtered Network

Network Address Translation (NAT) is used to filter networks from incoming connections. Attackers can use IP source routing to avoid this filtering to determine the network topology.

Value:Disableipsourcerouting

Recommended value data:1

Valid values:0 (forward all data packets), 1 (do not convert Source Route data packets), 2 (discard all data packets transmitted to the source route ).

Note:The IP source route is disabled. The sender can use the IP source route to determine the route used when packets pass through the network.

Avoid receiving segmented data packets

The cost of processing segment data packets may be high. Although the denial of service rarely comes from the inside of the surrounding network, this setting can prevent the processing of segment data packets.

Value:Enablefragmentchecking

Recommended value data:1

Valid values:0 (disabled), 1 (Enabled)

Note:Prevents the IP stack from accepting segmented packets.

Data packets sent to multiple hosts are not forwarded.

Multiple hosts may respond to multicast data packets, resulting in a wide-spread response in the network.

Value:Enablemulticastforwarding

Recommended value data:0

Valid range:0 (false), 1 (true)

Note:The routing service uses this parameter to control whether IP multicast is to be forwarded. This parameter is created by the Routing and Remote Access Services.

Only the firewall forwards packets between networks

Multiple master servers cannot forward data packets between Connected Networks. Firewall is an obvious exception.

Value:Ipenablerouter

Recommended value data:0

Valid range:0 (false), 1 (true)

Note:Set this parameter to 1 (true) to allow the system to Route IP packets between Connected Networks.

Mask network topology details

An ICMP packet can be used to request the subnet mask of the host. Disclosing this information is not a serious issue. However, the response from multiple hosts may be used to construct internal network information.

Value:Enableaddrmaskreply

Recommended value data:0

Valid range:0 (false), 1 (true)

Note:This parameter controls whether the computer responds to the ICMP address mask request.

Use the values summarized in Table 5 to create the maximum protection.

Table 5 recommended values
Value Name	Value (REG_DWORD)
Disableipsourcerouting	1
Enablefragmentchecking	1
Enablemulticastforwarding	0
Ipenablerouter	0
Enableaddrmaskreply	0

Defects

Test the changes to these values based on the expected network volumes in production. These settings modify the thresholds that are considered normal and deviate from the tested default value. If the connection speed of each client varies greatly, some settings may be too narrow to support the client stably.

Other resources

For more information about TCP/IP, see the following resources:

•	For more information about hardening the TCP/IP stack, see Microsoft Knowledge Base Article 315669 "How to: harden the TCP/IP stack Against Denial of Service attacks in Windows 2000 ".
•	For more information about Windows 2000 TCP/IP implementation, see "Windows 2000 TCP/IP protocols and services" (Microsoft Press Book) in Lee Davies ).
•	For more information about Windows 2000 TCP/IP implementation, see Microsoft Windows 2000 TCP/IP Implementation Details on the technet website at http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k.asp.