Denied Denial of Service. The so-called denial of service means that after a specific attack occurs, the attacked object cannot provide the proper service in time. For example, the website service (HTTP Service) should be provided and the website service cannot be provided. The email server (SMTP, POP3) cannot provide the service. The function of sending and receiving mail, etc., basically, blocking service attacks usually utilizes a large number of network data packets to smash the other party's network and host, so that normal users cannot obtain timely service from the host. Distributed denial of service, in short, consumes available systems and network bandwidth with massive data packets that far exceed the target processing power, causing network traffic. Perhaps it is related to the media's excessive attention. DoS attacks, especially DDoS attacks, seem to be popular overnight. The network administrators who are engaged in large and small, as long as the server is faulty, they are very excited and shouted "I was DDoS! & rdquo;, the face seems to write incomparable glory and pride. In fact, there are not many DDoS in our real world. After all, the resources required to launch a DDoS attack are very many, but the actual attacks are constantly happening. Both are ordinary denial of service attacks. The average level of attack, how to protect, has become the most headache for many network administrators, so I have to ask around, the results are often the same, "buy our hardware firewall". Hardware firewalls, including dedicated anti-denial-of-service attack products, are really good, but the basic price is very expensive. Although the effect is good, it can be over-fired from the perspective of investment and investment protection. In fact, from the perspective of the operating system, it has a lot of functions hidden in it, but many of them need us to slowly explore. Here I will give you a brief introduction to how to modify the registry in the Win2000 environment to enhance the system's anti-DoS capabilities. Details: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters] 'Turn off the check for invalid gateways. When the server is set up with multiple gateways, the system will try to connect to the 'second gateway' when the network is not smooth, and you can optimize the network by turning it off. "EnableDeadGWDetect"=dword:00000000 'Do not respond to ICMP redirect messages. Such packets may be used for attacks, so the system should refuse to accept ICMP redirect messages. "EnableICMPRedirects"=dword:00000000 'Do not allow the NETBIOS name to be released. When the attacker issues a request to query the server NETBIOS name, the server can be disabled. 'Note that the system must be installed above SP2"NoNameReleaseOnDemand"=dword:00000001 'send verification keep-alive packets. This option determines how long the TCP interval is to determine that the current connection is still connected. 'Without this value, the system checks for TCP idle connections every 2 hours. The setup time is 5 minutes. "KeepAliveTime"=dword:000493e0 'Do not allow maximum packet length path detection. When the value is 1, the size of the data packet that can be transmitted is automatically detected. 'It can be used to improve the transmission efficiency. If there is a fault or security, the value of the item is 0, which means that the fixed MTU value is 576 bytes. "EnablePMTUDiscovery"=dword:00000000 'Start syn attack protection. If the default value is 0, the attack protection is not enabled. The value of 1 and 2 indicates that the attack protection is enabled. After the value is 2, the security level is higher. If the attack is considered to be an attack, you need to use the following TcpMaxHalfOpen. And the TcpMaxHalfOpenRetried value 'set the condition to trigger the start. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet. "SynAttackProtect"=dword:00000002 'The number of semi-joins allowed at the same time. The so-called semi-join, which means that the TCP session is not fully established, can be seen in the SYN_RCVD state with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller. "TcpMaxHalfOpen"=dword:00000064 'Judge whether there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400. "TcpMaxHalfOpenRetried"=dword:00000050 'Set the wait SYN-ACK time. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds. The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack. 'Microsoft Site Security is recommended as 2. "TcpMaxConnectResponseRetransmissions"=dword:00000001 'Set the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3. "TcpMaxDataRetransmissions"=dword:00000003 'Set the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5. "TCPMaxPortsExhausted"=dword:00000005 'Prohibit IP source routing. If the default value is 1, it means that the source route packet is not forwarded. If the value of the entry is 0, it means that all the packets are forwarded. If the value is set to 2, all the accepted source route packets are discarded. The Microsoft site security recommendation is 2. "DisableIPSourceRouting"=dword:0000002 'Restricts the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds. "TcpTimedWaitDelay"=dword:0000001e [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters]' Increase the increase in the connection block of NetBT. The default is 3, the range is 1-20. The larger the value, the higher the performance when the connection is more. Each connection block consumes 87 bytes. "BacklogIncrement"=dword:00000003 'The maximum number of NetBT connections. The range is 1-40000, set to 1000 here. The larger the value, the more connections are allowed when there are more connections. "MaxConnBackLog"=dword:000003e8 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Afd\\Parameters] 'Configure activates the dynamic Backlog. For systems with heavy network or SYN attacks, it is recommended to set it to 1, indicating that dynamic backlogs are allowed. "EnableDynamicBacklog"=dword:00000001 'Configure the minimum dynamic Backlog. The default value is 0, which indicates the minimum number of free connections that the dynamic Backlog allocates. When the number of free connections 'below this number, the automatic assignment will be freely connected. The default value is 0. For systems with heavy network or SYN attacks, the recommended setting is 20. "MinimumDynamicBacklog"=dword:00000014 'Maximum dynamic Backlog. Indicates the definition of the maximum number of "quasi" & "connections", mainly depends on the size of the memory, the theoretical maximum of 32M memory can be increased by 5000, here set to 20000. "MaximumDynamicBacklog"=dword:00002e20 'Every time you add free connection data. The default value is 5, which means that the number of free connections added each time is defined. For systems with heavy network or vulnerable to SYN attacks, it is recommended to set it to 10. "DynamicBacklogGrowthDelta"=dword:0000000a The following sections need to be manually modified according to the actual situation '--------------------------------- -------------------------------------------------- --------------'[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters] 'Enable security filtering on the NIC'"EnableSecurityFilters"=dword:00000001''At the same time open TCP The number of connections, which can be controlled according to the situation. '"TcpNumConnections"=''This parameter controls the size limit of the TCP header table. On machines with a lot of RAM, increasing this setting can improve responsiveness during a SYN attack. '"TcpMaxSendFree"=''[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{Own NIC interface}]' disable route discovery. ICMP route advertisement packets can be used to add routing table records, which can cause attacks, so route discovery is prohibited. "PerformRouterDiscovery "=dword:00000000'---------------------------------------- -------------------------------------------------- -------