Simple setting for defending small traffic DDoS attacks

Preventing DDoS attacks does not necessarily have to be a firewall. A part of DDoS we can through the DOS command Netstat-an|more or network comprehensive analysis software: sniff, etc. to find the relevant attack methods, such as attacking a major port, or the other side mainly from which port, the other IP. This allows us to take advantage of W2K's own tools, such as remote access and routing or IP policies, to resolve these attacks. To be able to use these data to find out about it we can also try to guard against DDoS attacks by making security settings for the server. If the server settings are not effectively resolved, then you can consider buying an anti-DDoS firewall. In fact, from the operating system point of view, itself has a lot of functions, but a lot of it is necessary for us to dig slowly. Here I give you a brief account of how to improve the system's anti DOS capability by modifying the registry in Win2000 environment.

Note that the following security settings are modified through the registry, and the performance of this setting depends on the configuration of the server, especially CPU processing power. If you follow the security settings below, the dual Xeon 2.4G server configuration, tested, can withstand approximately 10,000 packets of attack volume.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

' Turn off checking for invalid gateways. When the server is set up with multiple gateways, the system tries to connect when the network is not smooth

' A second gateway that can optimize the network by shutting it down.

"EnableDeadGWDetect" =dword:00000000

' Prevents response to ICMP Redirect messages. Such messages are likely to be used for attack, so the system should reject ICMP Redirect messages.

"Enableicmpredirects" =dword:00000000

' Do not allow NetBIOS names to be released. When an attacker issues a request to query the server NetBIOS name, the server can be prevented from responding.

' Attention system must be installed SP2 above

"NoNameReleaseOnDemand" =dword:00000001

' Send validation to keep active packets. This option determines how long the TCP interval is to determine that the current connection is still connected.

' Do not set this value, the system checks TCP for idle connections every 2 hours, setting the time to 5 minutes.

"KeepAliveTime" =dword:000493e0

' Maximum packet length path detection is prohibited. The value of 1 o'clock automatically detects the size of the packet that can be transferred,

' can be used to improve transmission efficiency, such as failure or security, set the value of 0, indicating the use of fixed MTU value 576bytes.

"EnablePMTUDiscovery" =dword:00000000

' Initiate SYN attack protection. The default entry value is 0, which means that the attack protection is not turned on, and the entry value of 1 and 2 indicates that SYN attack protection is initiated, set to 2

' Higher security levels, and what conditions are considered attacks, need to be based on the following tcpmaxhalfopen and tcpmaxhalfopenretried values

' Set the conditions to trigger the boot. It should be noted here that the NT4.0 must be set to 1, set to 2 after a special packet will cause the system to reboot.

"SynAttackProtect" =dword:00000002

' The number of half connections allowed to open at the same time. A half connection, a TCP session that is not fully established, can be seen in SYN_RCVD state with the netstat command

' That's it. This uses the Microsoft recommended value, the server is set to 100, and the Advanced Server is set to 500. Suggestions can be set slightly smaller.

"TcpMaxHalfOpen" =dword:00000064

' Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the Advanced Server is 400.

"TcpMaxHalfOpenRetried" =dword:00000050

' Set wait Syn-ack time. The default entry value is 3, which consumes 45 seconds of the default process. The item value is 2 and consumes 21 seconds.

' Item value is 1, consuming 9 seconds. The minimum can be set to 0, which means no wait, and consumes a time of 3 seconds. This value can be modified according to the size of the attack.

' Microsoft Site security recommended for 2.

"TcpMaxConnectResponseRetransmissions" =dword:00000001

' Sets the number of TCP heavy flyer data segments. The default entry value is 5, which consumes 240 seconds of the default process. Microsoft Site security recommended for 3.

"TcpMaxDataRetransmissions" =dword:00000003

' Set the critical point for SYN attack protection. When the available backlog changes to 0 o'clock, this parameter is used to control the opening of SYN attack protection, and the Microsoft Site security recommendation is 5.

"TCPMaxPortsExhausted" =dword:00000005

' Prohibit IP source routing. The default entry value is 1, which indicates that the routing package is not routed, the entry value is set to 0, all forwarding is set to 2, which means discarding all accepted

' Source routing packet, Microsoft site security recommended for 2.

"DisableIPSourceRouting" =dword:0000002

' Limits the maximum time that is in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. The recommended setting is 30 seconds.

"TcpTimedWaitDelay" =dword:0000001e

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters]

' Increase the size of the connection block for NetBT. The default is 3, the range 1-20, the larger the number of connections to improve performance. Each connection block consumes 87 bytes.

"Backlogincrement" =dword:00000003

' Maximum number of connections for NetBT. Range 1-40000, set to 1000, the larger the number, the more connections are allowed.

"Maxconnbacklog" =dword:000003e8

[Hkey_local_machine\system\currentcontrolset\services\afd\parameters]

' Configure activation dynamic backlog. For systems that are busy or susceptible to SYN attacks, the recommendation is set to 1, which indicates that dynamic backlog is allowed.

"EnableDynamicBacklog" =dword:00000001

' Configure minimum dynamic backlog. The default entry value is 0, which indicates the minimum number of free connections allocated by dynamic backlog. When the number of free connections

' A free connection is automatically allocated when the number is lower. The default value is 0, and it is recommended to set to 20 for systems that are busy or susceptible to SYN attacks.

"MinimumDynamicBacklog" =dword:00000014

' Max dynamic backlog. Represents the number of defined maximum "quasi" connections, mainly looking at the memory size, with the theory that the maximum memory per 32M can

' Add 5,000, set it to 20000.

"MaximumDynamicBacklog" =dword:00002e20

' Each additional free connection data. The default entry value is 5, which defines the number of free connections that are added each time. For network busy or susceptible to SYN attacks

' System, the recommended setting is 10.

"DynamicBacklogGrowthDelta" =dword:0000000a

The following parts need to be manually modified according to actual situation

'-------------------------------------------------------------------------------------------------

' [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

' Enable secure filtering on the NIC

' "EnableSecurityFilters" =dword:00000001

'

' The number of TCP connections open at the same time, which can be controlled according to the situation.

' "TcpNumConnections" =

'

' This parameter controls the size limit of the TCP Header table. On a machine with large amounts of RAM, adding this setting can improve response performance during a SYN attack.

' "Tcpmaxsendfree" =

'

' [hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\{own NIC Interface}]

' Disables the routing Discovery feature. ICMP routing notification packets can be used to increase the routing table record and can cause attacks, so routing discovery is prohibited.

"PerformRouterDiscovery" =dword:00000000