Protecting Against SYN Flood Attacks

In Windows, a protection allowing to detect and adjust the time when system is being targeted with a SYN flood attack, i.e., a type of denial of service attack. When the protection is enabled, responses of this connection time out more quickly in the event of an attack. Open your registry. Find the key below. Then create a new DWORD value which is called "SynAttackProtect." Set it to either 0, 1 or 2. Look at the table below. If you use this value, Transmission Control Protocol (TCP) adjusts retransmission of SYN-ACKS. In the case you modify this value, the connection responses time out more quickly in the event of a SYN attack, i.e. a type of denial of service attack. 0 (default) - typical protection against SYN attacks 1 - better protection against SYN attacks that uses the advanced values below. 2 (recommended) - best protection against SYN attacks. This value adds additional delays for connection indications, and TCP connection requests quickly timeout when a SYN attack is progressing. Optional Advanced Values If you want extra control, you can create the additional DWORD values in the same key for each of the items which are introduced below. In this case, they are not required for SynAttackProtect to be effective. TcpMaxHalfOpen - default value is "100" TcpMaxHalfOpenRetried - default value is "80" TcpMaxPortsExhausted - default value is "5" TcpMaxConnectResponseRetransmissions - default value is "3" Restart Windows for the changes to take effect.
(Default) REG_SZ (value not set) SynAttackProtect REG_DWORD 0x00000002 (2) TcpMaxHalfOpen REG_DWORD 0x00000064 (100) TcpMaxHalfOpenedRetried REG_DWORD 0x00000050 (64) TcpMaxPortsExhausted REG_DWORD 0x00000005 (5) TcpMaxConnectResponseRetrans... REG_DWORD 0x00000003 (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\P...

Registry Legend System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] Value Name: SynAttackProtect, Data Type: REG_DWORD (DWORD Value)

pentru Windows 2000, dar unele se potrivesc si la XP

Protect Against SYN Attacks

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections. To protect the network against SYN attacks, follow these generalized steps, explained later in this document: Enable SYN attack protection Set SYN protection thresholds Set additional protections Enable SYN Attack Protection The named value to enable SYN attack protection is located beneath the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. Value name: SynAttackProtect Recommended value: 2 Valid values: 0, 1, 2 Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded. Set SYN Protection Thresholds The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are: Value name: TcpMaxPortsExhausted Recommended value: 5 Valid values: 0 65535 Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered. Value name: TcpMaxHalfOpen Recommended value data: 500 Valid values: 10065535 Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered. Value name: TcpMaxHalfOpenRetried Recommended value data: 400 Valid values: 8065535 Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP

connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered. Set Additional Protections All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are: Value name: TcpMaxConnectResponseRetransmissions Recommended value data: 2 Valid values: 0255 Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request. Value name: TcpMaxDataRetransmissions Recommended value data: 2 Valid values: 065535 Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection. Value name: EnablePMTUDiscovery Recommended value data: 0 Valid values: 0, 1 Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet. Value name: KeepAliveTime Recommended value data: 300000 Valid values: 804294967295 Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. Set NetBIOS Protections All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters. These keys and values are: Value name: NoNameReleaseOnDemand Recommended value data: 1 Valid values: 0, 1 Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request. Use the values that are summarized in Table 1 for maximum protection. Table 1 Recommended Values

Value Name SynAttackProtect TcpMaxPortsExhausted TcpMaxHalfOpen TcpMaxHalfOpenRetried TcpMaxConnectResponseRetransmissions TcpMaxDataRetransmissions EnablePMTUDiscovery KeepAliveTime NoNameReleaseOnDemand

Value (REG_DWORD) 2 1 500 400 2 2 0 300000 (5 minutes) 1

Protect Against ICMP Attacks

The named value in this section is under the registry key HKLM\System\CurrentControlSet\Services\TcpIp\Parameters Value: EnableICMPRedirect Recommended value data: 0 Valid values: 0 (disabled), 1 (enabled) Description: Modifying this registry value to 0 prevents the creation of expensive host routes when an ICMP redirect packet is received. Use the value summarized in Table 2 for maximum protection: Table 2 Recommended Values Value Name Value (REG_DWORD) EnableICMPRedirect 0

Protect Against SNMP Attacks

The named value in this section is located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Value: EnableDeadGWDetect Recommended value data: 0 Valid values: 0 (disabled), 1, (enabled) Description: Prevents an attacker from forcing the switching to a secondary gateway Use the value summarized in Table 3 for maximum protection. Table 3 Recommended Values Value Name Value (REG_DWORD) EnableDeadGWDetect 0