Simple settings to defend against small-traffic DDOS attacks

Source: Internet
Author: User

To prevent DDOS attacks, you do not have to use a firewall. For a part of DDOS, we can use the doscommand netstat-an | more or the integrated network analysis software: sniff and so on. In this way, we can use tools that come with w2k, such as remote access and routing, or IP policies to address these attacks. We can also try to prevent DDOS attacks by setting security settings on the server. If you cannot effectively solve the problem by setting the server, you can purchase anti-DDOS firewall. In fact, from the operating system perspective, there are a lot of features in itself, but many of them need to be mined slowly. Here I will give you a brief introduction to how to enhance the system's anti-DoS capability by modifying the registry in the Win2000 environment.

Note that the following security settings are modified through the registry. The performance of the settings depends on the server configuration, especially the CPU processing capability. Perform the following security settings and configure a dual-channel Xeon 10 thousand GB server. After testing, the server can withstand attacks of about packets.

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]


Disable the invalid gateway check. When the server is configured with multiple gateways, the system will try to connect when the network is not smooth.
The second gateway can optimize the network by disabling it.
"EnableDeadGWDetect" = dword: 00000000.

Disable response to ICMP redirection packets. Such packets may be used for attacks, so the system should reject ICMP redirection packets.
"EnableICMPRedirects" = dword: 00000000

NETBIOS name cannot be released. When an attacker sends a request to query the server's NETBIOS name, the server is forbidden to respond.
Note that SP2 and above must be installed in the system
"NonameReleaseOnDemand" = dword: 00000001

Send verification keep activity data packets. This option determines the TCP interval to determine whether the current connection is still in the connection status,
If this value is not set, the system checks whether there are idle TCP connections every two hours. The time is set to 5 minutes.
"KeepAliveTime" = dword: 000493e0

Maximum package length path check is prohibited. When the value is 1, the size of data packets that can be transmitted is automatically detected,
It can be used to improve transmission efficiency. If a fault occurs or the item is set to 0, the fixed MTU value is 576 bytes.
"EnablePMTUDiscovery" = dword: 00000000

Enable syn attack protection. The default value is 0, indicating that attack protection is not enabled. The values 1 and 2 indicate that syn Attack Protection is enabled, after which 2 is enabled.
The security level is higher. under which circumstances is an attack, You Need To retried according to the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values
Set conditions to trigger the startup. It should be noted that NT4.0 must be set to 1. If it is set to 2, the system will be restarted under a special data packet.
"SynAttackProtect" = dword: 00000002

The number of semi-connections that can be opened at the same time. The so-called semi-connection indicates a TCP session that is not fully established. The netstat command shows that the session is in the SYN_RCVD state.
Yes. Here, we recommend that you set the server to 100 and the Advanced Server to 500. It is recommended that you set it a little smaller.
"TcpMaxHalfOpen" = dword: 00000064

Determine whether an attack is triggered. The recommended value is Microsoft. The server is 80, and the Advanced Server is 400.
"TcpMaxHalfOpenRetried" = dword: 00000050

Set the wait SYN-ACK time. The default value is 3, which is 45 seconds by default. The item value is 2 and the consumption time is 21 seconds.
The item value is 1 and the consumed time is 9 seconds. The minimum value can be set to 0, indicating no waiting. The consumed time is 3 seconds. This value can be modified based on the attack scale.
2 is recommended for Microsoft Site Security.
"TcpMaxConnectResponseRetransmissions" = dword: 00000001

Sets the number of TCP retransmission times for a single data segment. The default value is 5. By default, this process takes 240 seconds. 3 is recommended for Microsoft Site Security.
"TcpMaxDataRetransmissions" = dword: 00000003

Sets the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the Enable of syn attack protection. For Microsoft site security, 5 is recommended.
"TCPMaxPortsExhausted" = dword: 00000005

Disable IP source routing. The default value is 1, indicating that the source route package is not converted. If the value is set to 0, it indicates that all packets are forwarded. If it is set to 2, it indicates that all accepted packets are discarded.
Source Route package. 2 is recommended for Microsoft Site Security.
"DisableIPSourceRouting" = dword: 0000002

The maximum time allowed to be in the TIME_WAIT status. The default value is 240 seconds. The minimum value is 30 seconds and the maximum value is 300 seconds. We recommend that you set it to 30 seconds.
"TcpTimedWaitDelay" = dword: 0000001e

 

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters]
Increase the size of the NetBT connection block. The default value is 3 and the value range is 1-20. The larger the value, the more connections, the higher the performance. Each connection block consumes 87 bytes.
"BacklogIncrement" = dword: 00000003

The maximum number of fast NetBT connections. The value range is 1-40000. Here it is set to 1000. A larger value allows more connections when more connections exist.
"MaxConnBackLog" = dword: 000003e8

 

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAfdParameters]
Configure to activate dynamic Backlog. For systems that are busy or vulnerable to SYN attacks, we recommend that you set this parameter to 1 to allow dynamic backlogs.
"EnableDynamicBacklog" = dword: 00000001

Configure the minimum dynamic Backlog. The default value is 0, indicating the minimum number of free connections allocated by dynamic Backlog. When the number of free connections
If the number is lower than this value, free connections are automatically allocated. The default value is 0. for systems that are busy or vulnerable to SYN attacks, we recommend that you set this value to 20.
"MinimumDynamicBacklog" = dword: 00000014

Maximum dynamic Backlog. Indicates the maximum number of "quasi" connections, mainly depends on the memory size. Theoretically, the maximum memory size per 32 MB is acceptable.
Increase by 5000. Set this parameter to 20000.
"MaximumDynamicBacklog" = dword: 1272e20

Each added free connection data. The default value is 5, indicating the number of free connections added each time. If the network is busy or vulnerable to SYN attacks
Is recommended to be set to 10.
"DynamicBacklogGrowthDelta" = dword: 0000000a


Manually modify the following parts based on actual conditions:

Bytes -------------------------------------------------------------------------------------------------
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
Enable Security filtering on the NIC
"EnableSecurityFilters" = dword: 00000001

The number of TCP connections that are enabled at the same time, which can be controlled as needed.
"TcpNumConnections" =

This parameter controls the size limit of the TCP Header table. With a large number of RAM machines, this setting can improve the response performance during SYN attacks.
"TcpMaxSendFree" =

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces {Your Nic interface}]
Disable route discovery. ICMP route advertised packets can be used to increase route table records, which can lead to attacks. Therefore, route discovery is prohibited.
"Initialize mrouterdiscovery" = dword: 00000000


 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.