Configure Windows 2000 stack to resist network Denial of Service

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

The tcpip registry settings to resist DOS attacks are mostly shared in common between Windows NT and Windows 2000. There are two Windows 2000 only settings (at end of article).

www.securityportal.com has published a Denial of Service FAQ which can provide you with background information.

TechRepublic has published Security on IP Networks - Countering Denial-of-Service (DoS) Attacks.

www.windows2000security.com has published a Distributed Denial of Service Defense Tactics .

SANS Institute has published a Analysis of the "Shaft" Distributed Denial of Service Tool .

Microsoft published how to harden NT's tcpip stack against these attacks. The registry hacks documented here are taken from Microsoft sources.

Synattack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 2, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded. Apply the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
This setting provides the best protection. This value configures additional delays to connections to quickly timeout TCP connection requests when there is a SYN Attack.

When the system finds itself under attack the following options on any socket can no longer be enabled : Scalable windows (RFC 1323) and per adapter configured TCP parameters ( Initial RTT, window size ). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.

Cautionary note: I have seen a report that setting SynAttackProtect=2 incombination with TcpMaxHalfOpen=100 and TcpMaxHalfOpenRetried=80 can cause IIS to Blue Screen under real loads when testing revealed no problem. Whether its one of those interaction effects not likely to happen on your server, ??? If a consensus begins to build, I will note the same. At this time, I present the report in case the situation is duplicated in your environment. If so remove these three keys to see if the Blue Screens stop. If you have implemented these settings, please let me know of your results. Wayne Maples

TcpMaxHalfOpen parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server

TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpenRetried
Type: REG_DWORD
Value: 80
Professional, Server
Value: 400
Advanced Server

EnablePMTUDiscovery : When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit ( MTU or largest packet size ) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnablePMTUDiscovery
Type: REG_DWORD
Value: 1
recommended
Value: 0
default

NoNameReleaseOnDemand : parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: NoNameReleaseOnDemand
Type: REG_DWORD
Value: 1
recommended
Value: 0
default

EnableDeadGWDetect : When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableDeadGWDetect
Type: REG_DWORD
Value: 0
recommended - An attack could force the server to switch gateways and cause it to switch to an unintended gateway. Well, at least unintended by YOU.
Value: 1
default

KeepAliveTime : parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: KeepAliveTime
Type: REG_DWORD
Value: 300,000
recommended
Value: 7,200,000 (two hours)
default

PerformRouterDiscovery : parameter controls whether Windows 2000 attempts to perform router discovery per RFC 1256 on a per-interface basis.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: PerformRouterDiscovery
Type: REG_DWORD
Value: 0
recommended - This will prevent bogus router advertisements.
Value: 1
enabled
Value: 2
enable only if DHCP sends the router discover option

EnableICMPRedirects : parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirects
Type: REG_DWORD
Value: 0
recommended
Value: 1
default

Taken from Microsoft kb article Security Considerations for Network Attacks

Featured Links