Simple settings to defend against small-traffic DDoS attacks

To prevent DDoS attacks, you do not have to use a firewall. For a part of DDoS, we can use the doscommand netstat-an | more or the integrated network analysis software: sniff and so on. In this way, we can use tools that come with w2k, such as remote access and routing, or IP policies to address these attacks. We can also try to prevent DDoS attacks by setting security settings on the server. If you cannot effectively solve the problem by setting the server, you can purchase anti-DDoS firewall. In fact, from the operating system perspective, there are a lot of features in itself, but many of them need to be mined slowly. Here I will give you a brief introduction to how to enhance the system's anti-dos capability by modifying the registry in the Win2000 environment.

Note that the following security settings are modified through the registry. The performance of the settings depends on the server configuration, especially the CPU processing capability. Perform the following security settings and configure a dual-channel Xeon 10 thousand GB server. After testing, the server can withstand attacks of about packets.

[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters]

'Disable the invalid gateway check. When the server is configured with multiple gateways, the system will try to connect when the network is not smooth.
'The second gateway can optimize the network by disabling it.
"EnableDeadGWDetect" = DWORD: 00000000.

'Prohibit response to ICMP redirection packets. Such packets may be used for attacks, so the system should reject ICMP redirection packets.
"Enableicmpredirects" = DWORD: 00000000

'The NetBIOS name cannot be released. When an attacker sends a request to query the server's NetBIOS name, the server is forbidden to respond.
'Note that the system must install SP2 or above
"NoNameReleaseOnDemand" = DWORD: 00000001

'Send verification keep activity packets. This option determines the TCP interval to determine whether the current connection is still in the connection status,
'If this value is not set, the system checks whether there are idle TCP connections every two hours. The time is set to 5 minutes.
"KeepAliveTime" = DWORD: 000493e0

'Maximum package length path check is prohibited. When the value is 1, the size of data packets that can be transmitted is automatically detected,
'Can be used to improve transmission efficiency. If the item is set to 0 in case of a fault or safety, the fixed MTU value is 576 bytes.
"Enablepmtudiscovery" = DWORD: 00000000

'Enable Syn Attack Protection. The default value is 0, indicating that attack protection is not enabled. The values 1 and 2 indicate that Syn Attack Protection is enabled, after which 2 is enabled.
'The higher security level, under which circumstances should we consider it an attack, we need to retried according to the following tcpmaxhalfopen and TcpMaxHalfOpenRetried values
'Set conditions to trigger the startup. It should be noted that NT4.0 must be set to 1. If it is set to 2, the system will be restarted under a special data packet.
"SynAttackProtect" = DWORD: 00000002

'The number of semi-connections that can be opened at the same time. The so-called semi-connection indicates a TCP session that is not fully established. The netstat command shows that the session is in the syn_rcvd state.
. Here, we recommend that you set the server to 100 and the Advanced Server to 500. It is recommended that you set it a little smaller.
"Tcpmaxhalfopen" = DWORD: 00000064

'Determine whether there is an attack trigger point. The recommended value is Microsoft. The server is 80, and the Advanced Server is 400.
"TcpMaxHalfOpenRetried" = DWORD: 00000050

'Sets the wait SYN-ACK time. The default value is 3, which is 45 seconds by default. The item value is 2 and the consumption time is 21 seconds.
'The item value is 1 and the consumed time is 9 seconds. The minimum value can be set to 0, indicating no waiting. The consumed time is 3 seconds. This value can be modified based on the attack scale.
'Microsoft site security recommendation is 2.
"TCPMaxConnectResponseRetransmissions" = DWORD: 00000001

'Sets the number of times a single data segment is retransmitted over TCP. The default value is 5. By default, this process takes 240 seconds. 3 is recommended for Microsoft Site Security.
"TCPMaxDataRetransmissions" = DWORD: 00000003

'Sets the critical point of SYN attack protection. When the available backlog becomes 0, this parameter is used to control the Enable of Syn attack protection. For Microsoft site security, 5 is recommended.
"TCPMaxPortsExhausted" = DWORD: 00000005

'Prohibit IP source routing. The default value is 1, indicating that the source route package is not converted. If the value is set to 0, it indicates that all packets are forwarded. If it is set to 2, it indicates that all accepted packets are discarded.
'Source route package, which is recommended for Microsoft Site Security 2.
"Disableipsourcerouting" = DWORD: 0000002

'The maximum time allowed to be in the time_wait state. The default value is 240 seconds. The minimum value is 30 seconds and the maximum value is 300 seconds. We recommend that you set it to 30 seconds.
"Tcptimedwaitdelay" = DWORD: 0000001e

　

[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters]
'Increase the size of the netbt connection block. The default value is 3 and the value range is 1-20. The larger the value, the more connections, the higher the performance. Each connection block consumes 87 bytes.
"Backlogincrement" = DWORD: 00000003

'The maximum number of fast netbt connections. The value range is 1-40000. Here it is set to 1000. A larger value allows more connections when more connections exist.
"Maxconnbacklog" = DWORD: 000003e8

　

[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/AFD/parameters]
'Configure to activate dynamic backlog. For systems that are busy or vulnerable to SYN attacks, we recommend that you set this parameter to 1 to allow dynamic backlogs.
"EnableDynamicBacklog" = DWORD: 00000001

'Configure the minimum dynamic backlog. The default value is 0, indicating the minimum number of free connections allocated by dynamic backlog. When the number of free connections
'When the number is lower than this value, free connections are automatically allocated. The default value is 0. for systems that are busy or vulnerable to SYN attacks, we recommend that you set this value to 20.
"Minimumdynamicbacklog" = DWORD: 00000014

'Maximum dynamic backlog. Indicates the maximum number of "quasi" connections, mainly depends on the memory size. Theoretically, the maximum memory size per 32 MB is acceptable.
'Increase by 5000. Set this parameter to 20000.
"Maximumdynamicbacklog" = DWORD: 1272e20

'The added free connection data each time. The default value is 5, indicating the number of free connections added each time. If the network is busy or vulnerable to SYN attacks
'. We recommend that you set it to 10.
"DynamicBacklogGrowthDelta" = DWORD: 0000000a

Manually modify the following parts based on actual conditions:

'Timeout '-------------------------------------------------------------------------------------------------
'[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters]
'Enable Security filtering on the NIC
'"Enablesecurityfilters" = DWORD: 00000001
'
'The number of TCP connections opened at the same time, which can be controlled as needed.
'"Tcpnumconnections" =
'
'This parameter controls the size limit of the TCP Header table. With a large number of Ram machines, this setting can improve the response performance during SYN attacks.
'"Tcpmaxsendfree" =
'
'[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters/interfaces/{Your Nic interface}]
'Disable route discovery. ICMP route advertised packets can be used to increase route table records, which can lead to attacks. Therefore, route discovery is prohibited.
"Initialize mrouterdiscovery" = DWORD: 00000000