Reinforce TCP/IP protocol stack

Reinforce the TCP/IP protocol stack by listing the registry values related to TCP/IP. You can configure these values on a computer directly connected to the Internet to reinforce the TCP/IP protocol stack. All these values are in the following registry key: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services Note: Unless otherwise specified, all values are in hexadecimal format. Value Name: SynAttackProtect registry key: Tcpip \ Parameters Value Type: REG_DWORD valid range: 0, 1, 2 www.2cto.com default: 0 this registry value enables Transmission Control Protocol (TCP) adjusts the re-transfer of the SYN-ACKS. After this value is configured, If SYN attacks (one type of DoS attacks) occur, the connection response timeout time will be shorter.
The following lists the parameters that can be used in the registry value: 0 (default): Set SynAttackProtect to 0 to provide general defense against SYN attacks. Set SynAttackProtect to 1 to defend against SYN attacks more effectively. This parameter enables TCP to adjust the re-transmission of the SYN-ACKS. When SynAttackProtect is set to 1, if a SYN attack occurs, the connection response timeout time will be shorter. Windows uses the following values to determine whether an attack exists: TcpMaxPortsExhausted TCPMaxHalfOpen TCPMaxHalfOpenRetried 2: Set SynAttackProtect to 2 to defend SYN attacks most effectively. This value adds additional latency for connection identification and shortens the timeout time of TCP connection requests in the case of SYN attacks. This parameter is recommended. Note: When the SynAttackProtect value is set to 2, the following socket options do not work on all sockets: TCP Parameter (including RTT and window size) Value Name configured on each adapter: EnableDeadGWDetect registry key: tcpip \ Parameters Value Type: REG_DWORD www.2cto.com valid range: 0, 1 (False, True) Default: 1 (True)
The following lists the parameters that can be used in the registry value: 1: When EnableDeadGWDetect is set to 1, TCP is allowed to perform the interval gateway detection. When you enable the interval Gateway Detection, if multiple connections are difficult, TCP may require the Internet Protocol to switch to the backup gateway. You can define the backup gateway in the "advanced" section of the TCP/IP configuration dialog box in "Network Control Panel. 0: We recommend that You Set EnableDeadGWDetect to 0. If you do not set this value to 0, network attacks may force the server to switch to the gateway, and the new gateway to be switched may not be the gateway you intend to use. Value Name: EnablePMTUDiscovery registry key: Tcpip \ Parameters Value Type: REG_DWORD valid range: 0, 1 (False, True) Default: 1 (True) the following lists the parameters that can be used in the registry value: 1: When EnablePMTUDiscovery is set to 1, TCP attempts to search for the maximum transmission unit (MTU) transmitted through the path of the remote host) or the maximum packet size. By searching for the MTU in the path and limiting the TCP segment to this size, TCP can reduce the fragmentation on the routers connecting different MTU networks in the path. Fragments affect the TCP throughput. 0: We recommend that you set EnablePMTUDiscovery to 0. In this case, 576 bytes of MTU will be applied to all non-host connections in the local subnetwork. If the value is not 0, attackers will force the MTU value to become very small, resulting in excessive stack load.
Value Name: KeepAliveTime www.2cto.com registry key: Tcpip \ Parameters Value Type: REG_DWORD (in milliseconds) Valid range: 1-0xFFFFFFFF default: 7,200,000 (2 hours) this value controls the interval at which TCP sends a "keep active" packet to check whether the idle connection is still idle. If you can still connect to a remote computer, the computer will respond to "active" packets. By default, no "keep active" packets are sent. You can use a program to configure this value on the connection. We recommend that you set this value to 300,000 (5 minutes ). Value Name: NoNameReleaseOnDemand registry key: Netbt \ Parameters Value Type: REG_DWORD valid range: 0, 1 (False, True) Default: 0 (False)
This value determines whether the NetBIOS name is released when the computer receives the name release request. This value is added to allow administrators to protect computers from Malicious Name Release attacks. We recommend that you set NoNameReleaseOnDemand to 1 (default ). Note: The NoNameReleaseOnDemand value must be used in Windows 2000 Service Pack 2 (SP2) or later.