IP stack against denial of service attacks in

May 9, 2007 - Value name: SynAttackProtect ... Value name: EnableDeadGWDetect ... and servers to confirm that they are compatible with your business.
Télécharger le PDF
45KB taille 19 téléchargements 394 vues
commentaire
Report
How to harden the TCP/IP stack against denial of service attacks in Windows Server ... Page 1 sur 3

How to harden the TCP/IP stack against denial of service attacks in Windows Server 2003 This article was previously published under Q324270

On This Page SUMMARY

Article ID : 324270 Last Review : October 30, 2006 Revision : 10.2

TCP/IP Registry Values That Harden the TCP/IP Stack Troubleshooting

SUMMARY Denial of service (DoS) attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable to network users. Denial of service attacks can be difficult to defend against. To help prevent denial of service attacks, you can use one or both of the following methods:

• Keep your computer updated with the latest security fixes. Security fixes are located on the following Microsoft Web site: http://www.microsoft.com/security (http://www.microsoft.com/security)

• Harden the TCP/IP protocol stack on your Windows Server 2003 computers. The default TCP/IP stack configuration is tuned to handle standard intranet traffic. If you connect a computer directly to the Internet, Microsoft recommends that you harden the TCP/IP stack against denial of service attacks.

TCP/IP Registry Values That Harden the TCP/IP Stack Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. The following list explains the TCP/IP-related registry values that you can configure to harden the TCP/IP stack on computers that are directly connected to the Internet. All of these values should be created under the following registry key, unless otherwise noted: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services NOTE: All values are in hexadecimal unless otherwise noted.

• Value name: SynAttackProtect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0,1 Default: 0 This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYNACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). The following parameters can be used with this registry value:

• 0 (default value): No SYN attack protection • 1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Windows uses the following values to determine whether an attack is in progress:

• TcpMaxPortsExhausted • TCPMaxHalfOpen • TCPMaxHalfOpenRetried Note In Windows Server 2003 Service Pack 1, the default value for the SynAttackProtect registry entry is 1.

• Value name: EnableDeadGWDetect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True)

http://support.microsoft.com/kb/324270/en-us

09/05/2007

How to harden the TCP/IP stack against denial of service attacks in Windows Server ... Page 2 sur 3

Default: 1 (True) The following list explains the parameters that you can use with this registry value:

• 1: When you set EnableDeadGWDetect to 1, TCP is permitted to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel.

• 0: Microsoft recommends that you set the EnableDeadGWDetect value to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway.

• Value name: EnablePMTUDiscovery Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True) Default: 1 (True) The following list explains the parameters that you can use with this registry value:

• 1: When you set EnablePMTUDiscovery to 1, TCP tries to discover either the maximum transmission unit (MTU) or the largest packet size over the path to a remote host. TCP can remove fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.

• 0: Microsoft recommends that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker may force the MTU value to a very small value and overwork the stack. Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss.

• Value name: KeepAliveTime Key: Tcpip\Parameters Value Type: REG_DWORD-Time in milliseconds Valid Range: 1-0xFFFFFFFF Default: 7,200,000 (two hours) This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keepalive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes).

• Value name: NoNameReleaseOnDemand Key: Netbt\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True) Default: 0 (False) This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to permit the administrator to protect the computer against malicious name-release attacks. Microsoft recommends that you set the NoNameReleaseOnDemand value to 1.

Troubleshooting When you change the TCP/IP registry values, you may affect programs and services that are running on the Windows Server 2003-based computer. Microsoft recommends that you test these settings on nonproduction workstations and servers to confirm that they are compatible with your business environment.

APPLIES TO • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86) • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) • Microsoft Windows Server 2003, Standard Edition (32-bit x86)

http://support.microsoft.com/kb/324270/en-us

09/05/2007

How to harden the TCP/IP stack against denial of service attacks in Windows Server ... Page 3 sur 3

• Microsoft Windows Server 2003, Web Edition • Microsoft Windows Server 2003, 64-Bit Datacenter Edition • Microsoft Windows Server 2003, Enterprise x64 Edition • Microsoft Windows Small Business Server 2003 Standard Edition • Microsoft Windows Small Business Server 2003 Premium Edition

Keywords: kbnetwork kbhowtomaster KB324270

©2007 Microsoft Corporation. Tous droits réservés.

http://support.microsoft.com/kb/324270/en-us

09/05/2007