The Windows system itself has many mechanisms that can be used to improve performance and security, many of which can be used to cope with high concurrent requests and DDoS attacks.
Windows Server performance can be improved with the following configurations:
First, to respond to high concurrent requests:
1, TCP connection delay wait time TcpTimedWaitDelay:
This is the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between shutdown and release is generally known as the time_wait state or twice times the maximum segment life cycle (2MSL) state. During this time, the cost of reopening the connection to the client and the server is less than establishing a new connection. Reducing this value allows TCP/IP to release closed connections more quickly and to provide additional resources for new connections. Adjust this parameter if you are running an application that needs to quickly release and create a new connection, and because there are many connections in time_wait that result in low throughput. The default value is 240 seconds, the minimum 30 seconds, the maximum 300 seconds, and the recommended set to 30 seconds.
2, maximum TCP use port MaxUserPort:
When a TCP client and server are connected, the client must allocate a dynamic port, by default the dynamic port is allocated a range of 1024-5000, which means that by default, the client can initiate up to 3,977 socket connections at the same time. By modifying the scope of this dynamic port, the data throughput of the system can be increased
3, keep the connection time KeepAliveTime:
Windows does not send keep active packets by default, but packets that may be requested to remain active in some TCP packets. Keeping the connection can be exploited by an attacker to create a large number of connections causing the server to deny service. Lowering this parameter value helps the system to disconnect inactive sessions more quickly.
4, TCP data maximum number of TcpMaxDataRetransmissions
This parameter controls the number of times that TCP has retransmitted the data segment before the connection exception aborts. If the computer does not receive any acknowledgment messages within this limit, the connection will be terminated.
5, TCP connection maximum number of tcpmaxconnectresponseretransmissions
This parameter sets the Syn-ack wait time and can be used to improve the network performance of the system. The default time is 3, the consumption time is 45 seconds, the item value is 2, the time consuming is 21 seconds, the item value is 1, the time consuming is 9 seconds; The item value is 0, which means no wait, and consumes a time of 3 seconds
Second, the response to DDoS attacks: (including the above settings)
1, SYN attack protection SynAttackProtect:
To protect against SYN attacks, the TCP/IP protocol stack of Windows NT system is embedded with synattackprotect mechanism. The synattackprotect mechanism is to prevent SYN attacks by turning off certain socket options, adding additional connection instructions and reducing timeout times so that the system can handle more SYN connections.
2, invalid gateway detection function EnableDeadGWDetect:
When a server has multiple gateways, the system attempts to connect to the second gateway when the network is not smooth. Allowing automatic detection of failed gateways can lead to DoS, shutting it down to protect against SNMP attacks and optimizing the network.
3, ICMP redirect function EnableICMPRedirect:
Whether to respond to ICMP Redirect messages. ICMP Redirect messages may be used to attack, so the system should refuse to accept such messages to protect against ICMP attacks.
4, IP Source Routing Restrictions disableipsourcerouting:
Do you want to disable IP source routing packets and disable IP source routing protection to prevent packet spoofing
5, routing discovery function performrouterdiscovery:
ICMP routing notification packets can be used to increase the routing table record and may cause Dos attacks, so routing discovery is prohibited.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
"PerformRouterDiscovery" =dword:00000000
6, Server name response function NoNameReleaseOnDemand
Allows the computer to ignore NetBIOS name publishing requests except from Windows servers. When an attacker issues a request to query the server NetBIOS name, the server can be prevented from responding.
7. Internet Group Management Protocol level IGMPLevel
Used to control how much the system supports IP multicast and participates in Internet Group management protocols. The default value is 2, which supports sending and receiving multicast data, and a value of 1 indicates that only sending multicast data is supported; The item value of 0 indicates that the multicast feature is not supported.
8. Anonymous access Restrictions RestrictAnonymous
Used to prevent anonymous access to view user lists and security permissions. Anonymous access allows the connector to establish an empty connection with the target host without a username and password, and the connection can get a list of users using this null connection. With the user list, you can take a poor guess at the password.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
