Windows Server configuration method for high concurrency and DDoS attacks _win server

Source: Internet
Author: User
Tags anonymous socket

The Windows system itself has many mechanisms that can be used to improve performance and security, many of which can be used to cope with high concurrent requests and DDoS attacks.

Windows Server performance can be improved with the following configurations:

First, to respond to high concurrent requests:

1, TCP connection delay wait time TcpTimedWaitDelay:

This is the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between shutdown and release is generally known as the time_wait state or twice times the maximum segment life cycle (2MSL) state. During this time, the cost of reopening the connection to the client and the server is less than establishing a new connection. Reducing this value allows TCP/IP to release closed connections more quickly and to provide additional resources for new connections. Adjust this parameter if you are running an application that needs to quickly release and create a new connection, and because there are many connections in time_wait that result in low throughput. The default value is 240 seconds, the minimum 30 seconds, the maximum 300 seconds, and the recommended set to 30 seconds.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpTimedWaitDelay" =dword:0000001e

2, maximum TCP use port MaxUserPort:

When a TCP client and server are connected, the client must allocate a dynamic port, by default the dynamic port is allocated a range of 1024-5000, which means that by default, the client can initiate up to 3,977 socket connections at the same time. By modifying the scope of this dynamic port, the data throughput of the system can be increased

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"MaxUserPort" =dword:000ffffe

3, keep the connection time KeepAliveTime:

Windows does not send keep active packets by default, but packets that may be requested to remain active in some TCP packets. Keeping the connection can be exploited by an attacker to create a large number of connections causing the server to deny service. Lowering this parameter value helps the system to disconnect inactive sessions more quickly.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"KeepAliveTime" =dword:000493e0

4, TCP data maximum number of TcpMaxDataRetransmissions

This parameter controls the number of times that TCP has retransmitted the data segment before the connection exception aborts. If the computer does not receive any acknowledgment messages within this limit, the connection will be terminated.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpMaxDataRetransmissions" =dword:00000003

5, TCP connection maximum number of tcpmaxconnectresponseretransmissions
This parameter sets the Syn-ack wait time and can be used to improve the network performance of the system. The default time is 3, the consumption time is 45 seconds, the item value is 2, the time consuming is 21 seconds, the item value is 1, the time consuming is 9 seconds; The item value is 0, which means no wait, and consumes a time of 3 seconds

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpMaxConnectResponseRetransmissions" =dword:00000002

Second, the response to DDoS attacks: (including the above settings)

1, SYN attack protection SynAttackProtect:

To protect against SYN attacks, the TCP/IP protocol stack of Windows NT system is embedded with synattackprotect mechanism. The synattackprotect mechanism is to prevent SYN attacks by turning off certain socket options, adding additional connection instructions and reducing timeout times so that the system can handle more SYN connections.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"SynAttackProtect" =dword:00000002

2, invalid gateway detection function EnableDeadGWDetect:

When a server has multiple gateways, the system attempts to connect to the second gateway when the network is not smooth. Allowing automatic detection of failed gateways can lead to DoS, shutting it down to protect against SNMP attacks and optimizing the network.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableDeadGWDetect" =dword:00000000

3, ICMP redirect function EnableICMPRedirect:

Whether to respond to ICMP Redirect messages. ICMP Redirect messages may be used to attack, so the system should refuse to accept such messages to protect against ICMP attacks.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect" =dword:00000000

4, IP Source Routing Restrictions disableipsourcerouting:

Do you want to disable IP source routing packets and disable IP source routing protection to prevent packet spoofing

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DisableIPSourceRouting" =dword:00000002

5, routing discovery function performrouterdiscovery:

ICMP routing notification packets can be used to increase the routing table record and may cause Dos attacks, so routing discovery is prohibited.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"PerformRouterDiscovery" =dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
"PerformRouterDiscovery" =dword:00000000

6, Server name response function NoNameReleaseOnDemand

Allows the computer to ignore NetBIOS name publishing requests except from Windows servers. When an attacker issues a request to query the server NetBIOS name, the server can be prevented from responding.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NoNameReleaseOnDemand" =dword:00000001

7. Internet Group Management Protocol level IGMPLevel

Used to control how much the system supports IP multicast and participates in Internet Group management protocols. The default value is 2, which supports sending and receiving multicast data, and a value of 1 indicates that only sending multicast data is supported; The item value of 0 indicates that the multicast feature is not supported.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"IGMPLevel" =dword:00000000

8. Anonymous access Restrictions RestrictAnonymous

Used to prevent anonymous access to view user lists and security permissions. Anonymous access allows the connector to establish an empty connection with the target host without a username and password, and the connection can get a list of users using this null connection. With the user list, you can take a poor guess at the password.

Copy Code code as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RestrictAnonymous" =dword:00000001

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.